Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

14-M: Removable Media Management

This section evaluates how your organization controls the use of removable media and portable storage devices (such as USB drives, external hard drives, and other portable media).

The questions focus on whether you restrict or approve their use, apply encryption and malware protections, and maintain procedures for securely transferring, storing, and disposing of data on these devices.

Overall, this section confirms that removable media do not become an unmanaged channel for data loss, malware introduction, or unauthorized access to sensitive information.

Organization

First Name

47-8 Do you have a policy or program for managing removable media (e.g., CDs, DVDs, tapes, disk drives)?

YES

N/A

Explanation: A removable media management policy helps ensure that portable storage devices are used securely, mitigating risks associated with data loss or unauthorized access.

Risks of Incorrect Answer: Unregulated use of removable media could result in data breaches or malware infections.

Lack of a defined policy may lead to non-compliance with data protection standards.

Applicable Frameworks: ISO 27001 (A.8.3.1): Requires controls for the use of removable media.

NIST CSF (PR.IP-4): Addresses secure handling of removable devices.

HIPAA (164.310(d)(2)(i)): Requires policies for portable storage devices

47.8- If No or N/A, please provide an additional explanation

47.1-7 If yes, is the policy approved by management, communicated to staff, and maintained by an assigned owner?

YES

N/A

Explanation: A well-defined and communicated policy ensures that all employees understand the proper handling of removable media and that responsibility is clearly assigned.

Risks of Incorrect Answer: Employees may mishandle removable media, increasing the risk of data loss or compromise.

Lack of oversight could lead to inconsistent policy enforcement.

Applicable Frameworks: ISO 27001 (A.8.2.2): Emphasizes the importance of management-approved policies.

NIST CSF (ID.GV-1): Stresses governance and oversight of security policies.

47.1-7 If No or N/A Please Explain

Explanation: Encryption ensures that data stored on removable media cannot be accessed by unauthorized users if the device is lost or stolen.

Risks of Incorrect Answer: Unencrypted data on lost or stolen media could result in a breach of sensitive information.

Non-compliance with regulations mandating encryption of portable data.

Applicable Frameworks: ISO 27001 (A.10.1.1): Requires encryption of sensitive data.

NIST CSF (PR.DS-1): Stresses encryption of data at rest.

PCI DSS (3.4): Requires encryption of cardholder data stored on portable media.

48.9- If No, please provide an additional explanation

Explanation: Secure disposal ensures that sensitive data cannot be retrieved from discarded media, protecting against unauthorized access.

Risks of Incorrect Answer: Insecure disposal of media could result in data recovery by malicious actors.

Violations of standards requiring secure data destruction could result in penalties.

Applicable Frameworks: ISO 27001 (A.8.3.2): Requires secure disposal of media containing sensitive data.

NIST CSF (PR.IP-6): Recommends secure data disposal practices.

HIPAA (164.310(d)(2)(i)): Mandates proper disposal of health information

Explanation: Logs and audit trails help track the use and movement of removable media, ensuring accountability and supporting forensic investigations if necessary.

Risks of Incorrect Answer: Lack of logging makes it difficult to trace misuse or loss of removable media.

Non-compliance with standards requiring accountability for data handling.

Applicable Frameworks: ISO 27001 (A.12.4.1): Recommends logging of activities related to removable media.

NIST CSF (PR.PT-1): Stresses data tracking and accountability.

PCI DSS (10.1): Requires logging of data access and transfer.

50.8- If No, please provide an additional explanation

Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

HOME

ABOUT

CONTACT

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

I Consent to Receive SMS Notifications, Alerts & Occasional Marketing Communication from CRISP. Message frequency varies. Message & data rates may apply. Text HELP to (330) 737-2223 for assistance. You can reply STOP to unsubscribe at any time.

​Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

14-M: Removable Media Management

​Compliance Risk &

Information SecurityPartners

Empowering small businesses with BIG Solutions

HOME

ABOUT

Contact Us

LEGAL POLICIES

Compliance Risk &

Compliance Risk &

Information Security
Partners

Empowering small businesses
with BIG Solutions