Purpose
The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business requirements to connect portable removable media to any infrastructure within NNMC’s internal network(s) or related technology resources. This removable media policy applies to, but is not limited to, all devices and accompanying media that fit the following device classifications:
- Portable USB-based memory sticks, also known as flash drives, or thumb drives, jump drives, or key drives.
- Memory cards in SD, CompactFlash, Memory Stick, or any related flash-based supplemental storage media.
- USB card readers that allow connectivity to a PC.
- Portable MP3 and MPEG-playing music and media player-type devices such as iPods with internal flash or hard drive-based memory that support a data storage function.
- PDAs, cell phone handsets, and smartphones with internal flash or hard drive-based memory that support a data storage function.
- Digital cameras with internal or external memory support.
- Removable memory-based media, such as rewritable DVDs, CDs, and floppy disks.
- Any hardware that provides connectivity to USB devices through means such as wireless (WiFi, WiMAX, irDA, Bluetooth, among others) or wired network access.
The policy applies to any hardware and related software that could be used to access corporate resources, even if said equipment is not corporately sanctioned, owned, or supplied.
The overriding goal of this policy is to protect the integrity of the private and confidential client and business data that resides within NNMC’s technology infrastructure. This policy intends to prevent this data from being deliberately or inadvertently moved outside the enterprise network and/or the physical premises where it can potentially be accessed by unsanctioned resources. A breach of Page 2 NNMC IT Services this type could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing removable media and/or USB-based technology to backup, store, and otherwise access corporate data of any type must adhere to company-defined processes for doing so.
Threats and Security Risks
The Policy addresses the following range of threats:
Threat | Description |
---|---|
Loss | Devices used to transfer or transport work files could be lost or stolen. |
Theft | Sensitive corporate or client data is deliberately stolen and sold by an employee. |
Copyright | Software copied onto portable memory device could violate licensing. |
Spyware | Spyware or tracking code enters the network via memory media. |
Malware | Viruses, Trojans, Worms, and other threats could be introduced via external media. |
Compliance | Loss or theft of financial and/or personal and confidential data could expose the enterprise to the risk of non-compliance with various identity theft and privacy laws. |
Addition of new hardware, software, and/or related components to provide additional USB-related connectivity within corporate facilities will be managed at the sole discretion of IT. Non-sanctioned use of USB-based hardware, software, and/or related components to back up, store, and otherwise access any enterprise-related data is strictly forbidden.
Appropriate Use Policy
It is the responsibility of any employee of Chemwatch who is connecting a USB-based memory device to the organizational network to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here.
- IT Reserves the right to refuse the ability to connect removable media to corporate environment or personal environment physically connected to the corporate network.
- Wi Fi connected devices should not have an access to internal resources.
- VPN connected devices should be considered as physically connected devices and should follow the same rules as other connected nodes.
- Prior to initial use on the corporate network or related infrastructure, all USB-related hardware and related software must be registered with IT. Before granting the approval, IT must check the removable media for possible threats such as Spyware or Malware.
- End users who wish to connect such devices to non-corporate network infrastructure to gain access to enterprise data must employ, for their devices and related infrastructure, a company-approved personal firewall and any other security measure deemed necessary by the IT department.
- IT is responsible for supporting the list of allowed types of media. Media which is outside the list must not be accepted for use.
- Company's or client data stored on removable media should be protected by a password, which corresponds to IT security requirements.
- All USB-based devices that are used for business interests must be pre-approved by IT, and must employ reasonable physical security measures
- All removable media will be subject to quarantine upon return to the office before they can be fully utilized on enterprise infrastructure.
- Passwords and other confidential data as defined by IT department are not to be stored on portable storage devices.
- Passwords for media should not be sent using non-encrypted communication channels.
- Passwords cannot be sent to many recipients. There should always be one person responsible for keeping the password private.
- End users must apply new passwords every business/personal trip where company data is being utilized on USB-based memory devices.
- Any USB-based memory device that is being used to store sensitive data must adhere to the authentication requirements of IT department
- Employees, contractors, and temporary staff will follow all enterprise-sanctioned data removal procedures to permanently erase company-specific data from such devices once their use is no longer required.
- IT can and will establish audit trails in all situations it feels merited.
- The end user agrees to immediately report to his/her manager andIT department any incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of company resources, databases, networks, etc.
Non-Compliance
Failure to comply with the Removable Media and Acceptable Use Policy may, at the full discretion of the organization, result in the suspension of any or all technology use and connectivity privileges, disciplinary action, and possibly termination of employment.