Removable Media Security Use Policy
Effective 1 June 2007
The purpose of this policy is to establish standards of secure use for removable data storage media, hereafter referred to as removable media, when sensitive data is involved.
This standard applies to all VMI network users with regard to removable media including floppy disks, USB drives, CDs, DVDs, and any other physical media available used to transport data.
Removable Media: CDs, DVDs, magnetic tapes, floppy disks, external hard drives, universal serial bus (USB) drives (also known as memory sticks, jump drives and thumb drives) and any other storage media intended for data portability separate from the system on which it originated.
Sensitive data: Data with the highest level of protection including, but not limited to, data protected by law, data protected under the Family Educational Rights and Privacy Act of 1974 (FERPA), data protected by legal contracts, security-related data such as passwords, data containing personal information such as medical records, social security numbers, or other data which if available to unauthorized users, may harm an individual, group, or the Institute.
Removable media is commonly used to transfer electronic files from one computer to another, and as a mechanism to archive data. Security controls in place on VMI systems typically do not follow the data when it is copied to removable media. Users who place sensitive data on removable media must be aware of the security risks and recognize their responsibilities to protect the data.
Removable media is typically small, portable, and more easily misplaced than permanent storage devices. Because of the nature of removable media a higher risk exists for inappropriate disclosure if the media is used to store sensitive data.
Sensitive data should not be stored, even temporarily, on the internal hard drive of a laptop computer. If a laptop is to be used to work with sensitive data, the data should be stored on encrypted removable media.
The following safeguards should be observed to protected Sensitive data stored on removable media:
Users should avoid storage of sensitive data on removable media whenever possible.
When there is no reasonable alternative to storing sensitive data on removable media, it must be the minimum data necessary to accomplish the required task.
Sensitive data stored on removable media must be protected by VMI approved encryption methods.
Sensitive data stored on removable media must also be stored on a secure network file share or as a part of the original system from which it was derived or copied (example: Colleague).
Storing Sensitive data on a file share or the original system ensures secure backup of the data.
In the event of a privacy disclosure, a copy of the data is needed to determine to whom notification should be sent.
Removable media must always be physically secured.
When removable media is no longer needed, proper disposal techniques must be employed.
If removable media is lost or stolen, the user must contact their supervisor and the Information Technology Help Desk immediately so that necessary steps can be taken to limit damage and liability of an inappropriate disclosure.