No using portable storage that has no identifiable owner.
What it actually means
Prohibit the use of portable storage devices when they have no identifiable owner — no plugging in 'found' or unknown USB drives, a classic malware vector. Set the policy and, ideally, enforce it with endpoint controls that block unknown removable devices.
Pass or fail — an assessor needs a "yes" to each
- Is the use of portable storage devices with no identifiable owner prohibited?
- Is it enforced via endpoint controls where feasible?
What to have ready
- Removable-media policy prohibiting ownerless devices
- Endpoint configuration blocking unknown USB devices
Where teams trip up
- No rule against using found or unknown USB drives
- Policy exists but endpoints allow any USB device
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →