Free Essay

Removable Media Policy

In: Computers and Technology

Submitted By lmannino
Words 1274
Pages 6
The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business requirements to connect portable removable media to any infrastructure within Richman Investments internal network or related technology resources. This removable media policy applies to, but is not limited to all devices and accompanying media that fit the following device classifications:
• Portable USB-based memory sticks, also known as flash drives, thumb drive, jump drives, or key drives.
• Memory cards in SD, CompactFlash, Memory Stick, or any related flash-based supplemental storage media.
• USB card readers that allow connectivity to a PC.
• Portable MP3 and MPEG-playing music and media player-type devices such as IPods with internal flash or hard drive based memory that supports a data storage function.
• PDAs, cell phone handsets, and smart phones with internal flash or hard drive based memory that support a data storage function.
• Digital cameras with internal or external memory support.
• Removable memory based media, such as DVDs, CDs, and floppy disks.
• Any hardware that provides connectivity to USB devices through means such as wireless (Wi-Fi, WiMAX, IrDA, Bluetooth, among others) or wired network access.
This policy applies to any hardware and related software that could be used to access corporate resources, even if said equipment is not corporately sanctioned, owned, or supplied. The overriding goal of this policy is to protect the confidentiality, integrity, and availability of resources and assets that reside within Richman Investments technology infrastructure. A breach could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing the use of removable media and/or USB-based technology to back up, store, or otherwise access corporate resources of any type must adhere to company defined processes for doing so.
This policy applies to all Richman Investment employees, including full and part time staff, contractors, freelancers, and other agents who utilize either company owned or personally owned removable media and/or USB-based technology to store, back-up, relocate, or access any organization owned asset or network resource. Employment at Richman Investments does not automatically guarantee the initial and ongoing ability to use these devices within the enterprise technology environment. It addresses the following threats:
Threat Description
Loss Devices used to transfer or transport work files could be lost or stolen.
Theft Sensitive corporate data is deliberately stolen and sold by an employee.
Copyright Software copied onto portable memory device could violate licensing.
Spyware Spyware or tracking code enters the network via memory media.
Malware Viruses, Trojans, Worms, and other threats could be introduced via external media.
Compliance Loss or theft of financial and/or personal and confidential data could expose the enterprise to the risk of non-compliance with various state and federal regulations.

Addition of new hardware, software, and/or related components to provide additional USB-related connectivity within corporate facilities will be managed at the sole discretion of IT. Non-sanctioned use of USB-based hardware, software, and/or related components to back up, store, or otherwise access any enterprise-related data is strictly forbidden.
All USB-based devices and the USB ports used to access workstations and other related connectivity points within the corporate firewall will be centrally managed by Richman Investments IT department and will utilize encryption and strong authentication measures. Although IT is not able to manage the external devices (such as home PCs) to which the memory resources will also be connected, end users are expected to adhere to the same security protocols when connected to non-corporate equipment. Failure to do so will result in immediate suspension of all network access privileges to protect the company’s infrastructure.
It is the responsibility of any Richman Investments employee using any type of removable media or connecting a USB-based memory device to the organizational network to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here. It is imperative that any portable memory that is used to conduct Richman Investments business be utilized appropriately, responsibly, and ethically; failure to do so will result in immediate suspension that of user’s account. Based on this, the following rules must be observed:
1. IT reserves the right to refuse, by physical and non-physical means, the ability to connect removable media and USB devices to corporate and corporate-connected infrastructure. IT will engage in such action if it feels such equipment is being used in such a way that it puts the company’s system, data, users, and clients at risk.
2. End users who wish to connect such devices to non-corporate network infrastructure to gain access to enterprise data must employ, for their devices and related infrastructure, a company approved personal firewall and any other security measure deemed necessary by the IT department.
3. Employees using removable media and USB-related devices and related software for data storage, back up, transfer, or any other action within Richman Investments technology infrastructure will, without exception, use secure data storage and management procedures. A simple password is insufficient.
4. All removable media and/or USB-based devices that are used for business interests must be pre-approved by IT, and must employ reasonable physical security measures. End users are expected to secure all such devices used for this activity whether or not they are actually in use and/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices whenever they contain enterprise data. Any non-corporate computers used to synchronize with these devices will have installed whatever anti-virus and anti-malware deemed necessary by Richman Investments IT department. Anti-virus signature files on any additional client machines, such as a home PC, on which this media will be used must be updated in accordance with company policy.
5. All removable media will be subject to quarantine upon return to the office before they can be fully utilized on the enterprise infrastructure.
6. Richman Investments IT department will support its sanctioned hardware and software, but is not responsible for conflicts or problems caused by the use of unsanctioned media. This applies even to devices already known by the IT department.
7. Employees will make no modifications of any kind to company owned and installed hardware and software without the express approval of Richman Investments IT department. This includes, but is not limited to, reconfiguration of USB ports.
8. IT may restrict the use of Universal Plug and Play on any client PCs that it deems to be particularly sensitive.
9. IT reserves the right to disable USB ports to limit physical and virtual access.
10. IT can and will establish audit trails in all situations it feels merited. Such trails will be able to track the attachment of an external device to a PC, and the resulting reports may be used for investigations of possible breaches and/or misuse. The end user agrees to and accepts that his or her access and/or connection to Richman Investments networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity.

Failure to comply with the Removable Media Acceptable Use Policy may, at the full discretion of the organization, result in the suspension of any and all technology use and connectivity privileges, disciplinary action, and possibly termination of employment.

This policy is effective immediately. Any and all employees who use removable media and/or USB-related devices must bring them to IT for approval and to ensure that they meet the required criteria.

Similar Documents

Free Essay

Student

...Net-Worm.Win32.Kido.ih Detected | Feb 20 2009 07:04 GMT | Released | Apr 02 2009 16:24 GMT | Published | Feb 20 2009 07:04 GMT | Manual description Auto description This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program. Manual description Auto description This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information. Technical Details Payload Removal instructions Technical Details This network worm spreads via local networks and removable storage media. The program itself is a Windows PE DLL file. The worm components vary in size from 155KB to 165KB. It is packed using UPX. Installation The worm copies its executable file with random names as shown below: %System%\<rnd> %Program Files%\Internet Explorer\<rnd>.dll %Program Files%\Movie Maker\<rnd>.dll %All Users Application Data%\<rnd>.dll %Temp%\<rnd>.dll %Temp%\<rnd>.tmp <rnd> is a random string of symbols. In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be......

Words: 1158 - Pages: 5

Free Essay

It 255 Project Part 2 Richman Investments Project Part Ii

...Richman Investments Removable Media Acceptable Use Policy Policy statement It is the goal of Richman Investments to implement the controlled use of removable media devices that transfer information by all users who have access to any means of data within the company. Objective This form is an official Richman Investments document pertaining to the establishment of principles and working practices that are to be abided by all users in order for data to be safely stored and transferred by means of a removable device. The importance of controlling removable media and the objective of this policy is to: 1. Prohibit any unauthorized disclosure of information as may be necessary to company policy. 2. Maintain data integrity. 3. Build network integrity by instilling confidence and trust with data on the network. 4. Keep high standards of security with the use of protected and restricted data. 5. Avoid malicious network intusions. 6. Prevent unintended or malicious harm on the Richman Investments data network. Applicable Parties This policy applies to all Richman Investment employees, members, committees, business partners, third party IT services, guests, or anyone who is approved access to the data network, IT hardware resources, or any equipment with means of access to files within Richman Investments. Removable Devices Defined 1. USB Memory sticks (flash drive) 2. USB or external hard drive 3. Media Card Readers 4. Embedded......

Words: 1105 - Pages: 5

Premium Essay

Is362

...Professional needs to education their users of the dangers of these vulnerabilities presented. Next before the workstations go on the network the security professional should ensure the correct fixes patches and updates are installed. There should also be security policies implemented such as the prohibiting of certain media, and websites. 2. Your employees e-mail fi le attachments to each other and externally through the organization’s firewall and Internet connection. What security countermeasures can you implement to help mitigate the risk of rogue e-mail attachments and URL Web links? The security professional should find a antivirus that has a link scanner and email attachment scan before they are opened. 3. 3. Why is it recommended to do an antivirus signature fi le update before performing an antivirus scan on your computer? This is recommended because a virus might miss an infection if it is newer than the signature database on the antivirus. 4. Once a malicious fi le is found on your computer, what are the default settings for USB/removable device scanning? What should organizations do regarding use of USB hard drives and slots on existing computers and devices? The default setting for USB/removable device scanning is dependent on the type of anti-virus that you are using. A windows machine will prompt you to decide what you want to do...

Words: 506 - Pages: 3

Free Essay

Nt2580 Research Project Part 2

...are greater. We have decided to implement the following policy for removable media: Richman Investments staff may only use Richman Investments’ removable media in their work computers. Richman Investments removable media may not be connected to or used in computers that are not owned or leased by the Richman Investments without explicit permission of the Richman Investments IT manager. Sensitive information should be stored on removable media only when required in the performance of your assigned duties or when providing information required by other state or federal agencies. When sensitive information is stored on removable media, it must be encrypted in accordance with the Richman Investments’ Acceptable Encryption Policy. Security assurance and user-friendly sites are required if Richman Investments is to be successful at attracting customers to their Internet sites. It is therefore important to be able to understand the business requirements and be able to translate these into a public network presence with security in mind. The Digital revolution of the 21st Century has not been achieved without its consequences. Real time business requirements and economic drivers have forced rapid changes to the methods used to conduct business-to-business and business to client communication. The Internet has now become a convenient and economic deployment medium for global business. Richman Investments Computer users’ policy: Although employees are given PCs so they can......

Words: 1544 - Pages: 7

Premium Essay

Department of Defense (Dod) Ready

...Department of Defense (DoD) Ready The task is establish security policies for my firm of approximately 390 employees and make them Department of Defense (DoD) compliant. To achieve this goal, a list of compliance laws must be compiled to make sure we me the standard. I will outline the controls placed on the computing devices that are being utilized by company employees. I will develop a plan for implementation of the new security policy. The task of creating a security policy to make my firm DoD complaint starts with knowing what laws to become complaint with. There an array of laws to adhere to, but I have listed the majors laws that the firm must comply with. The following is a list of laws that the firm must become complaint with Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public (DPAP, 2014). The following is a list of standards for handling unclassified DoD information retrieved from Hogan Lovells website (2016). • prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials • using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar......

Words: 2282 - Pages: 10

Premium Essay

Nt1330 Unit 8 Assignment 1

...Group Policy in a Mixed Client OS Environment Unit 8 Assignment 1 ITT Technical Institute Floyd Washington Jr. May 16, 2015 Group policy is a tool used for customizing, controlling, and securing Windows operating systems. It was introduced in Windows 2000 as part of the IntelliMirror technologies. Group policy can be applied at the local computer level or to OU’s, domains, or sites in an Active Directory environment. Group policy was supported by Windows XP Professional, but not XP Home Editions. Group Policy in Vista adds many settings which gives administrators more control over users and computers. In this essay I will discuss five of the newer features that was not in the older versions of windows. * The first policy that I will discuss is the Control Removable Media policy. Devices like thumb drives, flash memory card readers, and external USB hard disks made it easy for users to transfer data between two computers. Although convenient, the ease that removable media created brought about the rise in industry espionage. User could easily copy and share company secrets with competitors by copying the information on to a removable device and uploading it to another computer. Software was made available to block access to USB ports on sensitive terminals. * The second policy that I will discuss is the Control power management settings. Power management on a single computer can save energy and money. Enforcing a power management strategy can save a......

Words: 532 - Pages: 3

Free Essay

Nt2580 Unit 1 Assignment: Internal Use Only Policy

...Charles Elliot 6/20/15 To: Richman Investments Employees. Subject: Internal Use Only Policy This report is to inform all members of Richman investments of their Internal Use Only policy. We will be discussing what this policy means, its effect on running day to day tasks on the network, and what protocols we are to follow when under the enforcement of this policy. Internal use only simply means that the data stays on site, or that an organization shares the information internally. And while the information may or may not be of a sensitive nature, there will be no exchange of data or communication of any kind outside of the organization. Any person(s) who wish to gain access to any information within Richman Investments infrastructure must authenticate themselves by logging on to their User profile and entering their password. All Users must agree and adhere to the AUP-Acceptable Use Policy. The AUP is a policy that states what a user can or cannot do with information from Richman Investments. Failure to adhere to the AUP will result in disciplinary actions both in their profession as well as legal disciplinary actions. The workstation is where the User connects to the infrastructure. There are no personal or recording devices or removable media of any kind allowed at the workstation. Richman Investments will provide and devices and removable media themselves, also these devices are never to leave the premises. The infrastructure administrators will determine which......

Words: 317 - Pages: 2

Free Essay

Internal Use

...domains that the Richman Investments “Internal Use Only” data classification policy applies to. “Internal Use Only” is used to classify any internal data shared within our organization that may or may not be confidential in nature but is not intended to leave the company. The three main domains affected by this policy are the User Domain, Workstation Domain, and the LAN Domain. The User Domain is anyone who accesses the company’s information system and is the weakest link in the infrastructure. Users will be strictly held to the acceptable use policy (AUP) which acts as a guidebook for what users are allowed to do with the company’s IT assets. Violation of the AUP can be grounds for immediate dismissal and/or legal actions. Any third party that may need access to our systems will need to adhere to these policies as well and will need to sign an agreement before any access is given. The Human Resources department will be responsible for ensuring that all employees have signed an agreement to the AUP. All employees must pass a background check and their identities verified by HR before any access to Richman’s systems are granted. The Workstation Domain is where most users will connect to Richman’s IT infrastructure. This includes all desktops, laptops, PDAs, smartphones, and tablets. No personal devices or removable media will be allowed to connect to Richman’s system. Any devices or removable media needed to conduct business will be issued by Richman’s IT department and be......

Words: 334 - Pages: 2

Premium Essay

Richman Investments

...force. Our data classification standard will include the User Domain, Workstation Domain, and the LAN Domain. This will cover all personnel and their workstations, all the physical components, as well access to the internet and company databases and any information in between. The User Domain which defines what information an employee can access. The User Domain will enforce an acceptable use policy (AUP) .Our AUP will define how the internal use data is used by each employee. All personnel gaining access to the company data base must read and sign the AUP policy and strictly adhere to Richman Investments acceptable use policy. This includes any contractor or third-party representatives. All users must sign this AUP prior to gaining any access to the company network. Any unauthorized use or breach of this policy in any manner can be cause for punitive action or dismissal. The Workstation Domain includes all workstations and media devices approved for use on the company network. No personal devices or removable media may be used on Richman Investments network. All devices and removable media will be issued by the company for official use only. To access any workstation, a user will need to have an account created to access the company network. All users will then be able to log in with a username and password. The IT departments will set standards on the complexity of the password and the interval that the password is required to be changed. All systems will have anti-virus......

Words: 461 - Pages: 2

Free Essay

Internal Use Only

...domains that the Richman Investments “Internal Use Only” data classification policy applies to. “Internal Use Only” is used to classify any internal data shared within our organization that may or may not be confidential in nature but is not intended to leave the company. The three main domains affected by this policy are the User Domain, Workstation Domain, and the LAN Domain. The User Domain is anyone who accesses the company’s information system and is the weakest link in the infrastructure. Users will be strictly held to the acceptable use policy (AUP) which acts as a guidebook for what users are allowed to do with the company’s IT assets. Violation of the AUP can be grounds for immediate dismissal and/or legal actions. Any third party that may need access to our systems will need to adhere to these policies as well and will need to sign an agreement before any access is given. The Human Resources department will be responsible for ensuring that all employees have signed an agreement to the AUP. All employees must pass a background check and their identities verified by HR before any access to Richman’s systems are granted. The Workstation Domain is where most users will connect to Richman’s IT infrastructure. This includes all desktops, laptops, PDAs, smartphones, and tablets. No personal devices or removable media will be allowed to connect to Richman’s system. Any devices or removable media needed to conduct business will be issued by Richman’s IT department and be......

Words: 365 - Pages: 2

Free Essay

Nt2580 Unit 1 Assignment 2

...domains. “Internal Use Only” sets up a restricted access security policy to our network. Any access, including from a website would require company mandated credentials to log on and enter the system. This type of policy is enforced because companies do not want to allow “free access” to their network for potential threats to their system or their security. This policy will impact three of the seven domains. These include: * User Domain * Define: This Domain defines what users have access to the information system.   * Policy Impact: The IT Team will use the User domain to define who has access to the company’s information systems. The domain will impose an acceptable use policy (AUP) that will define the permissions of what actions a user may make while inside the system. These permissions may also be defined by the data they are accessing at the time. All third party users (vendors, contractors, outside users, etc.) must also agree to the AUP. Any violation will be reported to management and/or the authorities, depending on the violation. * Workstation Domain * Define: This defines the devices used to access and connect to the information system. * Policy Impact: First, all devices and removable media connected to the information system must be issued and approved by the company.  At no time should any user of the system connect a unauthorized device or removable media. Second, the IT Team will provide all employee workstations with......

Words: 508 - Pages: 3

Premium Essay

Unit 1 Assignment 2

...communications are not planned to leave the organization. The report is designed to describe and explain the standards for the “Internal use only” data classification at the Richman Investments location, this report will address which IT set-up domains are affected by the standard and how. The first IT set-up affected by core use is the User Domain. The User Domain describes the people who access an organization’s information system. The user domain will enforce an Acceptable Use Policy (AUP) that defines what each user can and cannot do with the company’s data. With company users, any outsiders, contractor’s or third party agents will also need to agree and comply with the Acceptable Use Policy. Any violation will be taken up with management or the proper establishments to access further corrective action. Work Station Domain: This is where most of the company’s users connect to get to the IT set-up. No personal devices or removable media may be allowed on this network ever. All devices and removable media will be issued by the company for official work use. Access Control Lists (ACLs): ACLs will be tired up to appropriately define which access the users are allowed to use. Any violation causes an immediate suspension of rights and the person(s) in violation will be subject to company management’s choices and or the proper experts will be called. LAN Domain: A LAN Domain is a collection of computers that are solid to one another. Data closets and physical elements of the......

Words: 413 - Pages: 2

Premium Essay

Unit 1 Assignment 2

...communications are not planned to leave the organization. The report is designed to describe and explain the standards for the “Internal use only” data classification at the Richman Investments location, this report will address which IT set-up domains are affected by the standard and how. The first IT set-up affected by core use is the User Domain. The User Domain describes the people who access an organization’s information system. The user domain will enforce an Acceptable Use Policy (AUP) that defines what each user can and cannot do with the company’s data. With company users, any outsiders, contractor’s or third party agents will also need to agree and comply with the Acceptable Use Policy. Any violation will be taken up with management or the proper establishments to access further corrective action. Work Station Domain: This is where most of the company’s users connect to get to the IT set-up. No personal devices or removable media may be allowed on this network ever. All devices and removable media will be issued by the company for official work use. Access Control Lists (ACLs): ACLs will be tired up to appropriately define which access the users are allowed to use. Any violation causes an immediate suspension of rights and the person(s) in violation will be subject to company management’s choices and or the proper experts will be called. LAN Domain: A LAN Domain is a collection of computers that are solid to one another. Data closets and physical elements of the......

Words: 414 - Pages: 2

Premium Essay

Project Pt 2 It255

...user aware to the risks and threats that they are susceptible to by holding an Awareness Training session. The system is password protected however; you should change passwords every few months to prevent an attack. Also, log the users as they enter and exit the system to make sure there’s no unauthorized access. While it’s the company’s choice to allow employees to bring in USB/Removable drives, you have a threat to someone obtaining the wrong information, or getting malicious software into the system. If you allow the USB/Removable drives, have a virus scan every time someone inserts one into a company computer. In a Workstation Domain, you need to make sure virus protection is set up. You are protecting administrative, workstations, laptops, departmental workstations and servers, network and operating system software. You can enable password protection and auto screen lockout for inactive times, use workstation antivirus and malicious code policies, use content filtering and antivirus scanning at internet entry and exit, and update application software and security patches according to the policies and standards. You need to also make sure that the laptops are up to date on the anitivirus software. The LAN domain will have all the protocols...

Words: 683 - Pages: 3

Premium Essay

Computer Forensics Operational Manual

...COMPUTER FORENSICS OPERATIONAL MANUAL 1. Policy Name: Imaging Removable Hard Drives 2. Policy Number/Version: 1.0 3. Subject: Imaging and analysis of removable evidence hard drives. 4. Purpose: Document the procedure for imaging and analyzing different types of evidence hard drives removed from desktop or laptop computers. 5. Document Control:Approved By/Date: Revised Date/Revision Number: 6. Responsible Authority: The Quality Manager (or designee). 7. Related Standards/Statutes/References: A) ASCLD/LAB Legacy standards 1.4.2.5, 1.4.2.6, 1.4.2.7, 1.4.2.8, 1.4.2.11, and 1.4.2.12. B) ASCLD/LAB International Supplemental requirements: 3 (Terms and Definitions), 4.13.2.4, 5.4.1.1, 5.4.1.2, 5.4.2.1. C) ISO/IEC 17025:2005 clauses: 4.1.5 (a, f, g, h, and i), 4.2.1, 4.2.2 (d), 4.2.5, 4.3.1, 4.15.1, 5.3.2, 5.4.1, 5.4.4, 5.4.5.2, 5.4.7.2 (a - c), all of 5.5, all of 5.8, and 5.9.1 (a). 8. Scope: Imaging and examining different types of hard drives (SATA, SCSI, and IDE) removed from desktops and laptops. 9. Policy Statement: A) No analysis will be performed without legal authority (search warrant or consent form). If not submitted, the examiner must contact the investigator to obtain the necessary legal authority. B) Forensic computers are not connected to the Inter-net. C) All forensic archives created and data recovered during examinations are considered evidence. D) Changes to this procedure can be made if approved by the Quality Manager, who will document the changes...

Words: 731 - Pages: 3