Removable media security policy
Establishing a removable media security policy will allow sound oversight and accountability of information transported or transferred between systems on removable media. In addition, a well-enforced removable media security policy can decrease the likelihood and consequence of accidental data spills and information theft or loss.
Security Control: 1359; Revision: 2; Updated: Apr-19; Applicability: O, P, S, TS; Priority: Should
A removable media security policy is developed and implemented that includes:
- details of the removable media authority within the organisation
- types of media permitted within the organisation
- processes for media registration and auditing
- processes for media classification and labelling
- processes for the use of media for data transfers
- processes for the sanitisation/destruction and disposal of media.
Classifying media storing information
Media that is not correctly classified could be handled and stored inappropriately or accessed by personnel who do not have appropriate security clearances.
Security Control: 0323; Revision: 5; Updated: Feb-19; Applicability: O, P, S, TS; Priority: Must
Media is classified to the highest sensitivity or classification of information stored on the media.
Classifying media connected to systems
There is no guarantee that information will not be copied to media while connected to a system unless read-only devices or read-only media are used.
Security Control: 0325; Revision: 5; Updated: Mar-19; Applicability: O, P, S, TS; Priority: Must
Any media connected to a system is classified as the same sensitivity or classification as the system, unless the media is read-only, the media is inserted into a read-only device or the system has a mechanism through which read-only access can be ensured.
Media should always be protected according to the sensitivity or classification of the information it stores; however, if the sensitivity or classification of the information changes, so should the protection afforded to the media.
Security Control: 0331; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Media is reclassified if information copied onto the media is of a higher sensitivity or classification than the information already on the media, or information stored on the media is subject to a classification upgrade.
Security Control: 0330; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it.
Labelling media helps personnel to identify its sensitivity or classification and ensure that appropriate security controls are applied to its handling and usage.
While text-based protective markings are typically used for labelling media, there may be circumstances where colour-based protective markings or other marking schemes need to be used instead. In such cases, the marking scheme will need to be documented and personnel will need to be trained in its use.
Security Control: 0332; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Media, with the exception of internally mounted fixed media within ICT equipment, is labelled with protective markings reflecting its sensitivity or classification.
Connecting media to systems
Some operating systems provide functionality to automatically execute programs that reside on media. While this functionality was designed with a legitimate purpose in mind (e.g. such as automatically loading a graphical user interface for a user to browse the contents of media or to install software residing on the media) it can also be used for malicious purposes. For example, an adversary can create a file on media that the operating system believes it should automatically execute. When the operating system executes the file, it can have the same effect as when a user explicitly executes malicious code; however, in this case the user is taken out of the equation as the operating system executes the file without explicitly asking for permission.
Device access control software allows greater control over media that can be connected to systems and how it can be used. This assists in preventing unauthorised media being connected to systems and, if desired, preventing information from being written to it. Media can also be prevented from connecting to systems by disabling connection ports in software or by physical means such as using wafer seals or applying epoxy. If physical means are used to prevent media connecting to systems, procedures covering detection and reporting processes are needed in order to respond to attempts to bypass these security controls.
Security Control: 0337; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Media is not used with systems that are not authorised to process, store or communicate the sensitivity or classification of information on it.
Security Control: 0341; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Any automatic execution features for media are disabled in the operating system of systems.
Security Control: 0342; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Unauthorised media is prevented from connecting to systems via the use of device access control software, disabling connection ports, or by physical means.
Security Control: 0343; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
Media is prevented from being written to via the use of device access control software if there is no business requirement for its use.
External interface connections that allow Direct Memory Access
It has been demonstrated that an adversary can connect media to a locked system via an external interface connection that allows Direct Memory Access (DMA) and subsequently gain access to encryption keys in memory. Furthermore, an adversary can read or write any content to memory that they desire. The best defence against this security vulnerability is to disable access to external interface connections that allow DMA using software controls or physical measures. External interface connections that allow DMA include FireWire, ExpressCard and Thunderbolt.
Security Control: 0345; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
External interface connections that allow DMA are disabled.
As media can be easily misplaced or stolen, mechanisms should be put in place to protect information stored on it. Furthermore, applying encryption to media may reduce the requirements for storage and physical transfer. Any reduction in requirements needs to be based on the original sensitivity or classification of information residing on the media and the level of assurance in the encryption software being used to encrypt the media.
Security Control: 0831; Revision: 5; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Media is handled in a manner suitable for its sensitivity or classification.
Security Control: 1059; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Must
Media is encrypted with at least an Australian Signals Directorate Approved Cryptographic Algorithm.
Using media for data transfers
Organisations transferring data between systems belonging to different security domains are strongly encouraged to use write-once media. This will ensure that information from one of the systems cannot be accidently transferred onto the media then onto another system when the media is reused for the next transfer.
Security Control: 0347; Revision: 4; Updated: Sep-18; Applicability: O, P, S, TS; Priority: Should
When transferring data manually between two systems belonging to different security domains, write-once media is used.
Further information on accounting for and storing media can be found in the ICT equipment and media section of the Guidelines for Physical Security.
Further information on labelling ICT equipment can be found in the ICT equipment usage section of the Guidelines for ICT Equipment Management.
Further information on reducing storage and physical transfer requirements can be found in the cryptographic fundamentals section of the Guidelines for Using Cryptography.
Further information on using media to transfer data between systems can be found in the Guidelines for Data Transfers and Content Filtering.
Further information on the use of protective markings can be found in the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF), Sensitive and classified information policy, at https://www.protectivesecurity.gov.au/information/sensitive-classified-information/.
Further information on the storage and transfer of media can be found in AGD’s PSPF, Physical security for entity resources policy, at https://www.protectivesecurity.gov.au/physical/physical-security-entity-resources/.