I'm assuming here that the issue that you are trying to address is the use of unapproved USB devices and the threats they introduce to your environment. In summary the threats are:
- Importing a Trojan or unauthorised software via USB stick, leading to a loss of service.
- Importing copyrighted material (typically music or videos), breaching copyright and using up
- Theft of company information by downloading onto a USB device.
- Downloading information onto a USB device and subsequently losing that device, leading to a disclosure of sensitive information and potential reputational damage.
There are a number of well-established products in the market geared toward ensuring USB drive security. In choosing a product, consider the following questions:
- Do you want to control and audit devices, or do you also want to be able to encrypt them using
the same product? Some products will allow you to do both.
How easy is it to centrally manage USB device permissions?
- Do you want to prevent unauthorised devices, or just receive an alert when an unauthorised device is introduced?
The answers to these questions will depend on the risk to your organisation and the procedures that will work for you. In my experience, it can be difficult to persuade businesses to adopt a complete lockdown of USB devices, particularly senior managers using iPhones (yes, these too are USB devices). So select a tool that offers the flexibility to manage exceptions if you cannot implement a strict policy, as is often the case.
This was first published in January 2010