Your organizations Thumb Drive Policy

[carnage519]

I am looking to draft a thumb drive security policy.. What are your organizations stance on users bringing in thumb drives.

 

[Billb2]

Slam stomp, stomp. click, click
Thumb drive Nazis are coming.
They'll never take me alive......................

Seriously, what are you (or your organization) trying to accomplish?

 

[WobbleWobble]

Due to the number of thefts and losses, we tell our users to buy USB drives with built-in hardware encryption like Iron Key, Cruzer Enterprise, or DataTraveler Vaults.

 

[Zugzwang152]

we provide company-purchased and centrally managed flash drives, and block everything else.

 

[Zugzwang152]

we provide company-purchased and centrally managed flash drives, and block everything else.

 

[Chiefcrowe]

we are trying to make a flash drive policy....but nothing so far

 

[spidey07]

No removable media is allowed on computers (this includes writing to CD/DVD). Period. Enforced by securewave sanctuary.

 

[SagaLore]

Here is a decent policy:

Company Thumbdrives:
- Must be stored in a secure location when not in use
- Must be encrypted and password protected
- Must not be used for personal use
- Must have files removed when no longer needed

Personal Thumbdrives:
- Cannot be used on other company servers, desktops, or laptops
- Cannot contain executables
- Cannot be used to store company documents
- Use can be revoked at the discretion of IT Management

 

[SecPro]

Originally posted by: SagaLore
Here is a decent policy:

Company Thumbdrives:
- Must be stored in a secure location when not in use
- Must be encrypted and password protected
- Must not be used for personal use
- Must have files removed when no longer needed

Personal Thumbdrives:
- Cannot be used on other company servers, desktops, or laptops
- Cannot contain executables
- Cannot be used to store company documents
- Use can be revoked at the discretion of IT Management

That's very similar to what we have here. We also bought everyone an encrypted memory stick (DataTraveler).

 

[JeffreyLebowski]

Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.

All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?

It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.

I see it as a All or Nothing policy.

 

[imported_snikt]

Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.

All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?

It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.

I see it as a All or Nothing policy.

Smart companies will make their users sign NDAs and other contractual agreements to not abuse or misuse company-provided devices. At work we do both, and we do prosecute to full extent of the law, which I have seen done.

 

[Zugzwang152]

Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.

All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?

It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.

I see it as a All or Nothing policy.

Encryption is for protecting the data if the drive is lost or stolen. There's very little you can do to stop a determined insider who already has access to your information from screwing you. What you can do is show you've made y our best effort to protect the data, and put processes in place to detect them as soon as possible.

 

[SecPro]

Originally posted by: Zugzwang152

Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.

All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?

It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.

I see it as a All or Nothing policy.

Encryption is for protecting the data if the drive is lost or stolen. There's very little you can do to stop a determined insider who already has access to your information from screwing you. What you can do is show you've made y our best effort to protect the data, and put processes in place to detect them as soon as possible.

Exactly. At some point you are forced (in most cases) to give some level of trust to your employees. We are struggling with the same question around camera phones. Do you try and completely ban them from the workplace or do you realize they're coming in and ban their use? It's a topic of much discussion between me and my staff.

Our policy states that if you are going to transport sensitive company information outside the physical or logical confines of the company, it must be encrypted. We have given our employees the tools and training they need to do this.

 

[FLegman]

Originally posted by: SagaLore
Here is a decent policy:

Company Thumbdrives:
- Must be stored in a secure location when not in use
- Must be encrypted and password protected
- Must not be used for personal use
- Must have files removed when no longer needed

Personal Thumbdrives:
- Cannot be used on other company servers, desktops, or laptops
- Cannot contain executables
- Cannot be used to store company documents
- Use can be revoked at the discretion of IT Management

Hello there,

I will do as stated above for the "Company Thumbdrives" then proceed further with this software for the "Personal Thumbdrives" section.

I personnaly used that sofware in a non corporate environment and find it very efficient.
However it only works for usb keys and will fail to restrict external hard drives.

Edit: the new version seems to be capable of blocking hard drives. i will load and upadte my software and verify the latest added feature. Will keep you posted

 

[ScottFern]

Yeah.......we don't have one. We are one of the most relaxed IT departments I have ever seen. Not endorsing these type of IT policies, but everyone is a local admin on their laptop/desktop, no web filter, and no USB thumb drive policy.

 

[Colt45]

They are outright banned, but that's not going to stop crooks anyways. I suppose it might stop honest noobs that have some virus on their flashdrive from who knows what at home.

 

[Chiefcrowe]

don't you have more issues with viruses and what not?

Originally posted by: ScottFern
Yeah.......we don't have one. We are one of the most relaxed IT departments I have ever seen. Not endorsing these type of IT policies, but everyone is a local admin on their laptop/desktop, no web filter, and no USB thumb drive policy.

 

[sourceninja]

Our officially policy is that all thumb drives must be brought to IT and secured with truecrypt. Unofficially I only know a handful of people who have done this. The sad part, I wrote the policy.

 

[FLegman]

Originally posted by: sourceninja
Our officially policy is that all thumb drives must be brought to IT and secured with truecrypt. Unofficially I only know a handful of people who have done this. The sad part, I wrote the policy.

By restricting the access to the computers (by mean of the above software for instance) for any device that has not been presented to you to implement your policy will certainly help...

I tested the new feature that also enable external hard drives blocking and the software does the job.

 

[Sam25]

Originally posted by: Chiefcrowe
we are trying to make a flash drive policy....but nothing so far

Exactly this...eventually we'll get to something!

 

[sourceninja]

Originally posted by: FLegman

Originally posted by: sourceninja
Our officially policy is that all thumb drives must be brought to IT and secured with truecrypt. Unofficially I only know a handful of people who have done this. The sad part, I wrote the policy.

By restricting the access to the computers (by mean of the above software for instance) for any device that has not been presented to you to implement your policy will certainly help...

I tested the new feature that also enable external hard drives blocking and the software does the job.

I'd love to, however for us it would be hard to implement. We have many 'classes' of users. Students, faculty, staff, etc. Sometimes all of them share the same machine. But the people we are really worried about are encrypting already (the business office). If a copy of an instructors test gets out because he didn't encrypt, well who gives a shit.

 

[Nahsavtoo]

Thumb Drives and external hard drives are banned from use unless you get exemptions and exemptions are assigned to your user profile and given based on a logical need rather than want or nice to have "just in case". All USB ports are blocked from use, this includes most USB peripherals that can store data to include cameras, ipods, phones. Logical needs involve: Do you REALLY need an external hard drive for the work you do or will the network shared drive suffice? Do you really need DVD/CD burner access or can you move files around electroncially and access them from say a conference room computer? and so on.

We use ID cards with a 7 digit PIN to access our computers and our profile is pulled up with what we are and are not allowed to do/utilize - Local Admin rights, USB exemptions, internet exemptions, internet.

I have been rolling an idea around in my head and I beliene it may work but I am no software engineer and have no idea what difficulties are involved.

1. Create a program that interrogates the thumbdrive/peripheral and receives an answer back before becoming available for access. I assume this means having software on the USB drive itself, which would probably have to be encrypted to prevent casual hacking.
2. Thumbdrive/peripheral answers and data becomes accessible after entering a password (Alphanumeric and 16 digits long kind of like CVBNfthd3940!@^%) much like what is already available/in use.
3. The interrogation software would have to be resident on the network servers onl to prevent people from taking it home and installing it on their personals. Additionally the network would be accessible only by using an access card/ID on the workgroup computers the employees are authorized to access.

I am sure a database would need to be kept of who has access to what computers and thumbdrives or it may be that it is built in when they get a login ID and password. It would be a pain to initially create but once in place should provide easy and efficient management of USB devices within the workspace and give peace of mind to the boss and IT guys to know that the USB devices, if lost, are relatively secure.

Again I am not an IT guy, nor am I a software engineer. But it seems to me that the USB problem should be a relatively easy fix.

I am a firm believer in work is work and home is home and the two should not mix unless you work entirely from home for yourself or as a condition of employment. But that is just my opinion.

 

[Scouzer]

I don't think we have a policy. If we do, it's certainly not clearly described anywhere. I've used my thumb drives at work.

 

[Saint Nick]

Fortune 200 company here. We do not have a thumb drive policy, AFAIK. Users are allowed to put whatever they want on them, and plug them into any workstation.

Not wise, IMO.

 

[Schadenfroh]

I interned at a place once that had the USB ports disabled, removable media (save CDRWs) banned and they even banned digital picture frames.