This policy provides guidelines for the regulated and secure usage of portable storage devices. Its goal is to protect the organization and its employees from internal and external threats and to provide mechanisms for maintaining and monitoring data access in these scenarios.

From the policy:

Summary
Portable storage media, which includes USB flash drives, SD or micro-SD cards (and the devices that contain them), and external hard drive units, allow employees to access or back up business data both inside and outside the office. However, the ease of use presented by portable storage devices can also place companies at significant risk of lost or stolen data. Moreover, malware can infect portable storage media, which can then be inadvertently or purposely introduced inside an organization’s networks, jeopardizing business operations.

External individuals, such as hackers, virus writers, and ransomware peddlers, are often seen as the biggest threat to organizations. However, industry statistics consistently indicate that insiders pose a larger danger. It makes sense when you consider the damage that a single disgruntled employee (or an employee unaware of good security practices) could cause to a company, based on access privileges outsiders don’t possess. Allowing employees to access data to do their jobs is a double-edged sword. Permitting organizational staff to install and use external hard disks, flash drives, and even personal media players makes the task of stealing corporate information that much easier.