Flash Drive Policy

MrEyes

What sort of policy does your company have in relation to removeable media? We are currently in the throws of putting together a security policy and have reached the stumbling block that is USB flash drives, data storage capabale media devices (i.e. Ipods) etc. The options are: 1) Ban them all (however they are very useful things to have around). 2) Allow them and accept the associated risks. 3) Only allow "company" devices. 4) Only allow "company" devices and use some sort of encryption software on them (anybody have any recommendations). 5) Pretend the problem doesnt exist. 6) Something else we have not thought of yet (over to you).

Maximilien

MrEyes wrote:

removeable media?

does paper count as a removeable media ? I could print a couple of pages of highly sensitive code snipets and no one will really know.

MrEyes wrote:

Allow them and accept the associated risks.

This is what we have as a policy here ( I think ).

Maximilien Lincourt Your Head A Splode - Strong Bad

Andy Davies

where i work currently we have to virus scan them before we are allowed to use them, but that dosent happen often, and there are only 12 of us...

http://www.stormbase.net

Jerry Hammond

I keep saying this over and over, a little epoxy goes a long way.

When was the last time you poured some wine for you and your sweetie and went out on the front porch to watch the geometry frolic on the lake?--Rebecca M. Riordan, Designing Effective Database Systems

Douglas Troy

What kind of problem are they actually causing your company? Do you all feel they are a security risk? What about CD ROM Burners? DVD Burners? Floppy disks? Zip/Jaz? Will your company "ban" those as well? How about internet access? (e.g. upload source to a site) Even printed materials, as mentioned before, are probably more of a security threat than a thumb drive. Example: about 2 weeks ago, I noticed accounting documents in the dumpster from the company across the street. These documents contained client information, phone numbers, client account numbers, etc... If I had taken that same data, put it on a thumb drive and tossed THAT into the trash, no one would have been the wiser, unless they went "diving" ... I believe a "common sense" policy works best here; employees can use them, but they fall under the guidelines that they are responsible both in the office and outside the office for the device(s) and materials contained on them. If an employee lost a device that contained sensitive corporate data, then they can loose their job. Why say or do anymore than that? My two cents.

:..::. Douglas H. Troy ::..
Bad Astronomy |VCF|wxWidgets|WTL

Duncan Edwards Jones

Maximilien wrote:

I could print a couple of pages of highly sensitive code snipets and no one will really know

They very easily could, and probably should. I've put code in some companies to check who printed what and when...although it is more usually to protect architectural documents or PCB schematics than source code.

'--8<------------------------ Ex Datis: Duncan Jones Merrion Computing Ltd

Ennis Ray Lynch Jr

Disallowing them to be inserted then people can still have there personal media players. Then you can make special exceptions for employes. The point, however, is that unless you require Top Secret clearance there is not much you can or should do as stealing IP is easy and there is a required trust. Imagine just uploading a large file to a web based storage server. Then you say ok, those are easy to block but then what about the ones in Russian or Dutch?

On two occasions I have been asked [by members of Parliament], 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. - Charles Babbage

Paul Watson

We operate under number 2. Right now I have a 500gb external HD plugged into our network. I'll take it home later. Nobody minds. But then we are an IT research house so not the same as a corporate environment.

regards, Paul Watson Ireland FeedHenry needs you

Shog9 wrote:

eh, stop bugging me about it, give it a couple of days, see what happens.

Varindir Rajesh Mahdihar

all workstations have removable media devices locked down. no ands, ifs, or buts...

You don't see a WTF in spawning hundreds of threads ?? Or using code found on places like codeproject.com in production applications ... Code that is most likely untested, or barely test, more often than not, not made by reputable developers/development groups/etc ?? .... Wow ...---WTF