- Dec 19, 2008
- 26
- 0
- 0
I am looking to draft a thumb drive security policy.. What are your organizations stance on users bringing in thumb drives.
Originally posted by: SagaLore
Here is a decent policy:
Company Thumbdrives:
- Must be stored in a secure location when not in use
- Must be encrypted and password protected
- Must not be used for personal use
- Must have files removed when no longer needed
Personal Thumbdrives:
- Cannot be used on other company servers, desktops, or laptops
- Cannot contain executables
- Cannot be used to store company documents
- Use can be revoked at the discretion of IT Management
Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.
All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?
It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.
I see it as a All or Nothing policy.
Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.
All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?
It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.
I see it as a All or Nothing policy.
Originally posted by: Zugzwang152
Originally posted by: JeffreyLebowski
Personally I think if you are going to restrict thumb drives, you should ban them. All you are doing by having users use encrypted thumb drives is adding a step in them copying files. If they are going to use the thumb drive to copy a file take it home and post it for everyone to see you're not going to stop it by making it password protected.
All that does is stop someone from accessing the drive if they find it laying around. If you found a thumb drive in the street would you go, OMG that has the data my company can use to crush our competition so I'll post it online, or are you going to do a pr0n check then format it and say "finders keepers"?
It's a false sense of seurity to stop a lost drive from being used. It doesn't stop insider espionage, when the person that put the data on the drive is the person that is stealing the drive.
I see it as a All or Nothing policy.
Encryption is for protecting the data if the drive is lost or stolen. There's very little you can do to stop a determined insider who already has access to your information from screwing you. What you can do is show you've made y our best effort to protect the data, and put processes in place to detect them as soon as possible.
Originally posted by: SagaLore
Here is a decent policy:
Company Thumbdrives:
- Must be stored in a secure location when not in use
- Must be encrypted and password protected
- Must not be used for personal use
- Must have files removed when no longer needed
Personal Thumbdrives:
- Cannot be used on other company servers, desktops, or laptops
- Cannot contain executables
- Cannot be used to store company documents
- Use can be revoked at the discretion of IT Management
Originally posted by: ScottFern
Yeah.......we don't have one. We are one of the most relaxed IT departments I have ever seen. Not endorsing these type of IT policies, but everyone is a local admin on their laptop/desktop, no web filter, and no USB thumb drive policy.
Originally posted by: sourceninja
Our officially policy is that all thumb drives must be brought to IT and secured with truecrypt. Unofficially I only know a handful of people who have done this. The sad part, I wrote the policy.
Originally posted by: Chiefcrowe
we are trying to make a flash drive policy....but nothing so far
Originally posted by: FLegman
Originally posted by: sourceninja
Our officially policy is that all thumb drives must be brought to IT and secured with truecrypt. Unofficially I only know a handful of people who have done this. The sad part, I wrote the policy.
By restricting the access to the computers (by mean of the above software for instance) for any device that has not been presented to you to implement your policy will certainly help...
I tested the new feature that also enable external hard drives blocking and the software does the job.