This is a guest post by John Rostern, Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. His last post explained why regulatory compliance doesn’t always bring information security.
The ubiquitous nature and growing capacity of computer-removable media — USB hard drives, thumb drives and similar devices — puts the confidentiality, integrity and availability of corporate information at risk. Many organizations still do not include USB storage in their information security policies, and few security managers actively monitor or prevent their use by employees. Organizations need a security strategy that is both flexible and adaptable to deal with the evolving capabilities of these removable media devices.
Regulatory compliance has served to highlight the need to address the security issues created by the increased use of computer-removable media. The focus on risks related to “information leakage” through USB drives of all sorts is heightened by regulations and industry information security initiatives, such as the Payment Card Industry Data Security Standard for credit card companies and merchants.
In the United States, laws such as the Gramm-Leach-Bliley Act for financial companies and the Health Insurance Portability and Accountability Act for healthcare providers and insurers are putting pressure on companies to safeguard personal information stored on computers — or face penalties for security failures.
Members of the European Union (EU) and companies doing business there are further regulated by increasingly stringent privacy laws. The 1995 EU data protection directive provides regulatory guidance for the processing and transfer of personal information within and outside the EU.
Managing the risk presented by removable media has proven to be difficult for both security professionals and end users because the same features that contribute to the popularity of these devices create a complex security problem. The easy compatibility, small size and high capacity of these USB storage devices require both technical and procedural solutions.
In my experience dealing with clients of all sizes there seems to be a prevalence of point solutions. Tactical solutions such as disabling or locking down the USB ports may provide a marginal improvement in security, but they do not address monitoring in situations where USB access is required by the business. Tools that facilitate the management and reporting of such usage, when aligned with an overall policy regarding the acceptable use of removable media, provide the most effective basis for managing this risk.
Organizations should ensure that their overall security architecture includes a combination of technical and procedural countermeasures covering areas such as employee awareness, encryption and device hardening. The countermeasures developed to mitigate specific risks should be factored into both the risk assessment and the ongoing audit plan for the function. Tests to validate the existence and operational effectiveness of these countermeasures should be performed as part of scheduled audits. The results of such testing can positively or negatively affect the risk rating of a functional area.
|John Rostern is Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. He has more than 27 years of diverse experience in information systems management, architecture, application development, technology, audit and information security.|
Editor’s Note: The following four tips and articles offer additional advice and perspective on the risks of USB storage and methods to mitigate exposure.