Your organization is heavily invested in security. It likely
maintains firewall technologies, works to counter social engineering attacks
and monitors an intrusion detection system. Wireless transmissions may be
encrypted and the server room probably requires a key code separate from the
facility’s regular entrances. Password policies may even be in place requiring
users to log on to organization systems using only complex alphanumeric

But all those efforts may be for naught. Just one user strolling
out of work with a portable disk drive buried in a backpack can easily abscond
with 250GB or more a day of sensitive, confidential and proprietary data. Think
about those ramifications and you’ll see why it’s necessary for most any
organization with sensitive data to implement and enforce a portable storage

Think that’s overkill? Then consider the facts. Industry
statistics regularly repeat that insiders consistently pose the single biggest
threat to organizations. A single disgruntled employee or contractor armed with
a valid user account, password, network access and physical access to systems
can easily cause more harm than an army of hackers. Allowing an organization’s
staff members to install external hard disks, flash-based memory drives and
even iPods on organization systems makes the task of stealing corporate
information and data that much easier.

Portable storage policy

While implementing a strong portable storage policy won’t
make anyone in the Information Technology department popular, it will prove a
significant step in helping secure the organization’s data. Unauthorized
duplication, and the prohibited distribution of sensitive information outside
the company, will prove much more difficult if employees aren’t permitted to
bring portable drives and audio players (which can easily transport sensitive
data outside organization walls without detection) on company property.

Further, your organization’s portable storage policy should ensure that
employees and staff using mobile systems (such as laptop computers and
Blackberry-type telephones) understand they’re prohibited from transferring any
organization data to portable storage devices whether the staff member is in
the office or not. While having staff members sign such a policy upon beginning
employment  won’t necessarily prevent
unauthorized data loss, it will prove helpful in prosecuting offenders. For
this reason your organization’s legal team may be asking that the Information
Technology department implement such a policy.

Ensure your organization’s portable storage policy has
teeth. Be sure to list the types of devices that are prohibited, what steps
should be taken in the event of a violation and the penalties offenders could

Among the devices that should be prohibited are the

  • External
    hard disks
  • Portable
    hard drives
  • Portable
    network accessible storage drives
  • All
    forms of flash memory cards
  • Flash
    memory-based “thumb” drives
  • MP3
    audio players
  • iPods

If you’re unsure whether your organization necessarily
requires a portable storage policy, complete TechRepublic’s Portable Storage
Vulnerability Assessment, which will help gauge your organization’s exposure.
Should your organization require a portable storage policy, check out
TechRepublic’s Portable Storage Policy for a ready-made template you can use
as-is or customize to meet your organization’s specific needs.

Just rolling out such a policy won’t solve your organization
portable storage issues, however. The Information Technology department must
vigorously enforce such a policy. Otherwise the effort is nothing but a
paperwork exercise.

You can quickly implement a portable storage policy in your organization
by downloading TechRepublic’s Portable Storage Policy. Included you’ll
find a risk assessment spreadsheet that will help you determine the
importance of such a policy to your organization’s security along with a
basic policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.