We are not implementing specific policies regarding pen drives, but are tying their usage policies around a broader information handling & classification policy, which itself is part of a much broader information handling program.

From a technological stand point, pen drives are no more a threat than CDs, DVDs, floppies, "port 80", and email.

By tackling the "root-cause" you ensure that your policies and standards will hold up to the next pervasive technology, and in this instance what you are concerned about protecting is not the technological device per sé, but the information stored on it. For example, "confidential" information must be adequately protected, and if the storage medium doesn't support encryption, then the contents themselves must be encrypted in accordance with applicable policies and standards.

If the data is encrypted, why do you as an organization really care then if the data is on a pen drive, or a DVD?

Just my 2¢.

--
George Ellenburg

-----Original Message-----
From: Kosala Atapattu [mailto:kosalaa (at) carcumb (dot) com [email concealed]]
Sent: Monday, June 05, 2006 11:30 PM
To: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: USB pen drive policy

Hi all,

Is there any one use a USB pendrive policy? I was just wondering how to
handle USB pendrives since there capacities are increasing by day and
becoming a potential threat of Information leakage.

At the same time USB pendrive have become some thing we can't get rid
of, there uses overwhelm user productivity in some cases (people take
work home..:)).

Has any one come across similar Policy regarding USB pen drives. Any
comment highly appreciated.

Kosala Atapattu

[ reply ]