ISO 27001:2013 Information Security Management standard calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data.

There have been cases where a disgruntled employee downloads data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.

The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done. If this data contains sensitive information, then the company can be held liable under the Data Protection Act (GDPR).

Most security minded employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling of USB ports for this purpose; the ports can still be used for a keyboard or mouse.

I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.

A less effective method would be to have a ‘No USB memory stick’ condition in the Employee’s terms and conditions, but this does need to be policed, and is less effective.

I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.

Security of data must be extended to portable memory devices.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

ISO 27001 calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data. It is not unknown for a disgruntled employee to download data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.

The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done.

Sensible employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling the USB port for this purpose; the port can still be used for a keyboard or mouse.

A less effective method would be to have a ‘No USB memory stick’ condition in the Employee’s terms and conditions, but this does need to be policed.

I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.

I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.

Security of data must be extended to portable memory devices.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.