Restrict the use of USB drives and portable media on systems you don't control.
What it actually means
Limit the use of portable storage devices on external systems — for example, restrict employees from using company USB drives on personal or third-party computers where you can't control the security. Set the policy and enforce it where technically feasible.
Pass or fail — an assessor needs a "yes" to each
- Is the use of organizational portable storage on external systems restricted by policy?
- Is it enforced technically where feasible?
What to have ready
- Removable-media policy addressing external systems
- Endpoint configuration restricting portable storage
Where teams trip up
- No policy on where company USB drives can be used
- Relying solely on policy with no enforcement
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →