USB / removable media policy
Demonstrate that the organization has implemented and enforces a documented removable media policy that controls device authorization, restricts usage through technical safeguards, and monitors compliance.
Description
What this control does
This control establishes and enforces an organizational policy governing the use of USB drives, external hard drives, optical media, and other removable storage devices on enterprise systems. It typically defines approved device types, registration/authorization workflows, technical restrictions (such as read-only access or device whitelisting), and procedures for scanning media for malware before use. The policy reduces the risk of data exfiltration, malware introduction, and unauthorized data transfers by standardizing how portable media interacts with the corporate environment.
Control objective
What auditing this proves
Demonstrate that the organization has implemented and enforces a documented removable media policy that controls device authorization, restricts usage through technical safeguards, and monitors compliance.
Associated risks
Risks this control addresses
- Malware infection via contaminated USB drives or external media introduced from untrusted environments
- Unauthorized exfiltration of sensitive data by copying files to personal removable storage devices
- Introduction of unlicensed or pirated software via optical media or USB drives, creating legal and security exposure
- Data leakage through lost or stolen removable media containing unencrypted organizational information
- Insider threats leveraging unrestricted removable media access to transfer intellectual property or confidential records
- Compromise of air-gapped or isolated systems through physical delivery of infected removable devices
- Unauthorized installation of hardware keyloggers or malicious devices disguised as USB peripherals
Testing procedure
How an auditor verifies this control
- Obtain and review the current removable media and USB device policy document, noting scope, authorized device types, approval processes, and technical enforcement requirements.
- Identify the technical controls deployed to enforce the policy, such as endpoint protection platforms, device control software, Group Policy Objects, or mobile device management (MDM) solutions.
- Select a representative sample of workstations and servers across departments and extract endpoint device control configuration settings or Group Policy reports.
- Verify that unauthorized removable media is blocked or restricted by attempting to connect an unapproved USB drive to sampled endpoints and documenting the system response.
- Review access logs or device control event logs for a recent period to identify any USB or removable media insertion events, noting approved versus blocked attempts.
- Examine the device authorization register or whitelist to confirm that approved removable media are documented with device IDs, owners, business justification, and approval dates.
- Interview IT administrators and a sample of end users to assess awareness of the removable media policy and understanding of procedures for requesting device authorization.
- Test incident response records for any security events related to removable media (malware detection, unauthorized data transfer) to verify detection and remediation processes are followed.
Where this control is tested