PS-4 – Removable Media

Estimated reading: 2 minutes 1029 views

What is PS-4 – Removable Media Control?

Removable media control is about mitigating the risks that removable media can introduce to the organization. By removable media, we mean USB memory sticks, flash drives, CDs, DVDs, External Hard Drives, Mobile phones, and Tablet devices. Using removable media can be dangerous because it can introduce malware into an organization. Ideally, the best is to discourage the use of removable media, but if you must, ensure there are rules your employees need to follow.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

No tool recommendation is made for this section.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

  • Externally outsourced template from the US patent site
  • Externally outsourced template from Delta State University

Control implementation

To implement this control,

  1. It is important to define your position on the use of removable media and document it.
  2. It is also important to include preventive measures to mitigate the risks in the event of the use of removable media. Preventive measures include:
    1. Antivirus /antimalware
    2. Disabling auto-run and auto-play features
    3. Disabling USB flash drives
    4. Employee security awareness

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action.

  1. Documented procedure regarding removable media.

Evidence example

For the suggested action, an example is provided below:

  1. Documented procedure regarding removable media.
    The following screenshot shows a sample of the removable media policy.
    PS 4 Removable Media 01

Join the conversation