Manufacturers Association of Central New York Contact Information Products / Services Event Calendar About MACNY
MACNY Stripes



Email
Pass
Login
No account?  Register
Skip Navigation LinksHome > Members Only > Edge Device/USB Policy

Edge Device/USB Policy


USB Drives and Security- The Problem

The proliferation of USB flash drives and other mass storage devices like IPods and external hard drives has opened a new security hole in company information networks. Many companies have had their confidential information stolen or mislaid as a result of portable device use. It is similar to the problem posed by laptops. You may have read about various data losses from a laptops stolen from a car for example. In one famous case, classified Los Alamos weapons laboratory information was found on a data key during a crystal meth raid. The young worked claimed the she simply took the information home to work on. As a result, the lab disabled the USB ports on their machines using hardware, software and even super glue. Of course the problem is that the same ports that are used for connecting edge devices like flash drives and IPods are also used for keyboard and mice. Thus the problem must be addressed with more complicated software solutions, as well as good security policies and enforcement. This problem has created interest in encrypted data drives, to protect the information that is legitimately taken portable. Also, various suppliers of port blocking software are emerging to help manage this security issue. A white list approach, in which only authorized secure devices can attach to your network, is one general strategy to address this issue.

According to Forrester research, only 9 percent of companies have deployed mobile management tools.
Solutions

We asked our members for sample USB drive policies using our Econnect service. The response we received indicated that our members haven’t developed a policy in this area and to “please send us one”. Below is the policy that I wrote for MACNY, in case this might serve as a starting point for you.

Note that this policy is tied to assumptions about our security procedures. It assumes a “white list” approach of allowing only some secure devices to be used. It also assumes that there is some port monitoring and perhaps even limiting to the white listed devices. But the policy could be distributed and enforced, and the staff educated, even without a port limiting technical solution. The one necessary ingredient for this policy is to buy some encrypted data keys. This recent article describes a few examples http://www.informationweek.com/news/showArticle.jhtml?articleID=206900256

As for USB port monitoring/blocking software, I have run across the following products: DeviceLock, DeviceWall, AccessPatrol, and Endpoint Security.

"EDGE DEVICE POLICY:

Connecting Devices to the MACNY network is prohibited unless specifically authorized. You must receive specific authorization from your supervisor before connecting any peripheral device to the MACNY network. Devices include but are not limited to portable drives, data keys/USB keys/thumb drives, IPods or other music devices, blackberrys, smart phones or any mass storage device. Only specifically approved devices can be used to connect to the MACNY network.

The Director of IT will maintain an inventory of all approved devices by type and serial number. You should confirm approval of a particular device with the Director of IT before you use it on the MACNY network. Any device that is used to connect to the MACNY network and transfer or transport data must use 256-bit Advanced Encryption Standard (AES) hardware-based encryption. Encrypted information must be accessible using passwords that comply with the MACNY Internet/ E-mail / Computer Workstations Policy. Approved devices can only be used to transfer non-confidential information (e.g. customer presentations).

Unless specifically authorized, employees are prohibited from changing the network settings, security settings, passwords, port settings, BIOS instructions, or attempting in other ways to circumvent security restrictions on the MACNY network.

Connecting an unauthorized device to the MACNY network is considered a potentially serious security breach and a cause for disciplinary action up to and including termination. Transferring data using an unauthorized device is considered a serious security breach and a cause for disciplinary action up to and including termination.”

If you have questions or comments, please contact John Lawyer (jlawyer@macny.org).



 MACNY Montage
MACNY News
MACNY Events
Wed. 08.20.08
MACNY Offers FREE Training
Tue. 09.02.08
The Road to Customs Compliance
Tue. 09.02.08
Government Relations Executive Speaker Series: Assemblyman Bill Magnerelli
Wed. 09.03.08
MACNY Offers FREE Training
Fri. 09.05.08
Forklift Operator Safety Training -- Train-the-Trainer
Tue. 09.09.08
Tomorrow’s Leaders Today (TLT 1-The Confident Leader) Supervisory Training - Session 1
Wed. 09.10.08
Welcome Back Council Reception
Thu. 09.11.08
ISO 9001:2000 QMS Internal Auditor - Day 1 of 2
Fri. 10.03.08
Complaints Management & Improving Customer Satisfaction
Wed. 10.15.08
Supplier Quality Auditing
One Webster's Landing Syracuse, NY 13202 | Tel: 315-474-4201 | Fax: 315-474-0524 | Email: jlawyer@macny.org