DLP inspects writes to removable media
Demonstrate that the organization's DLP solution actively inspects content being written to removable media and enforces data protection policies before data leaves organizational endpoints.
Description
What this control does
Data Loss Prevention (DLP) systems monitor and inspect all data being written to removable media devices such as USB drives, external hard drives, and optical media in real time. When a user attempts to copy files to removable media, the DLP solution scans the content against configured policies that classify data based on sensitivity labels, patterns (credit cards, SSNs, intellectual property markers), or contextual rules. If prohibited content is detected, the DLP system can block the write operation, quarantine the data, redact sensitive portions, encrypt the transfer, or log the event for review while allowing the transfer under controlled conditions.
Control objective
What auditing this proves
Demonstrate that the organization's DLP solution actively inspects content being written to removable media and enforces data protection policies before data leaves organizational endpoints.
Associated risks
Risks this control addresses
- Unauthorized exfiltration of sensitive data (trade secrets, customer PII, financial records) via USB drives by malicious insiders
- Accidental exposure of regulated data (PHI, PCI, export-controlled technical data) when employees copy files to personal removable media
- Bypass of network-based data controls when attackers or insiders use physical media to avoid logged network transfers
- Loss of intellectual property through contractor or temporary worker removal of source code or design documents on external drives
- Compliance violations (GDPR, HIPAA, ITAR) due to unmonitored transfer of regulated information to unencrypted removable media
- Chain-of-custody gaps where sensitive data leaves the enterprise without audit trail or forensic visibility
- Malware introduction or data theft via dual-use of removable media that bypasses endpoint detection and response controls
Testing procedure
How an auditor verifies this control
- Obtain and review the current DLP policy configuration governing removable media writes, including classification rules, content inspection patterns, and enforcement actions (block, encrypt, alert, quarantine).
- Verify DLP agents are deployed and active on a representative sample of endpoint devices (workstations, laptops) across departments with access to sensitive data.
- Identify the list of removable media device types (USB mass storage, external HDDs, SD cards) explicitly covered by the DLP inspection policy.
- Execute a controlled test by attempting to copy a file containing test sensitive data (mock PII, labeled confidential document) to a USB drive on a monitored endpoint.
- Observe whether the DLP system intercepts the write operation in real time and applies the configured policy action (block, prompt, encrypt, or log).
- Review DLP event logs and dashboards for the test transaction to confirm detection accuracy, classification applied, user identity, timestamp, file hash, and action taken.
- Interview IT security staff to verify the process for tuning DLP rules, handling false positives, and escalating policy violations to incident response.
- Cross-reference a sample of recent removable media write events from DLP logs with help desk tickets or security incident records to validate operational effectiveness and review handling of actual violations.
Where this control is tested