Towards a Comprehensive USB Flash Drive Policy?

sconeu asks: "The company I work for is going through some growing pains. This is a -good- thing, but due to the growth, some changes are necessary. I'm the guy who does IT and IT policy, however I'm actually a developer by job description -- I was doing IT on the side. Anyways, we're going through growth, and one of the things we are trying to address is security. Currently, our policy is wide-open (for internal machines). The owner has expressed some reservations about the increasing use of flash drives, in an overall security setting. Everyone involved here realizes that there's not much we can do against a malicious employee, but we're looking to avoid accidental data loss from USB sticks, and other solid-state storage media. Has anyone on Slashdot dealt with this issue? What policies and protections did you end up putting in place, if any?"

Audit requirements are a bitch

[kyouteki]

I work at a bank, which of course has some pretty stringent security policies. It's pretty simple here: USB is disabled in the BIOS. It can be enabled by special request (usually for execs and their PDAs) and in such cases, we disable USB2.0 (just 1.1), require stronger passwords on the workstation, and have a screensaver set to lock the PC after 3 minutes of inactivity. This doesn't mean we don't have problems from enthusiuastic users that know how to change BIOS settings, but for the most part, problems were avoided.

Re:Audit requirements are a bitch

[kyouteki]

Now, that's a very good question. I asked this myself when I first started working here. The fact of the matter is, in a 2000+ workstation environment where passwords need to change every 90 days, that's unrealistic. United States Banker's Law requires all passwords used to have a minimum level of complexity and for them to be changed every 90 days. We're fine if there isn't a password there, since the BIOS is not required to be protected, but if there was a password, it would have to be changed every 90 days.

Please explain

[MobyDisk]

I've heard of companies that had issues with flash drives, but I've never understood why. Could you explain it to me?

I assume it is a concern about people copying files to the flash drives and walking out with them. But small high-capacity removable media is not anything new. When 3.5" floppy drives were common, it was trivial to take large amounts of source code, documentation, etc. Then came CDs, with more of the same. Today, DVD disks are either 3.25" or 5.25" in diameter, completely flat, and hold far more than flash drives. Yet I've never heard of anyone concerned about the security implications of DVDs. Most of my coworkers have PDAs or laptops. And every computer in the office has internet access.

So why are flash drives so magical that they deserve special treatment?

Re:Floppies?

[UncleBex]

I'm not sure why it should matter at all. If you are already resigned to the fact that a malicious person would still be able to do something or steal data, then why punish other individuals who use USB storage devices for the hypothetical Forces of Good. In my organization, we have several users who use USB sticks so that they can take their work home with them and we're supposed to encourage/enable them to do it (as the Admins).

But for what it's worth, we are not a bank or the military, so our policies reflect the laid back nature of our organization.

Re:Rather draconian, but ...

[ndansmith]

Yes, and the advancing technology of USB flash drives has made it easier to conceal them in other objects. For example, I have a friend at my school who has a watch which doubles as a 256MB USB drive. The connector and a short cable are hidden on the under-side of the band. Pretty tough to stop USB drives when they can be combined with common items, unless you want to have a company-wide strip-search policy . . .