Removable Media Policy (USB Drives, External Hard Drives)

Why removable media are a security risk

A USB stick costs three euros, fits in your pocket, and stores 128 gigabytes. That makes it the most convenient and simultaneously the most dangerous storage medium in any organization.

The risks are diverse and real:

Data loss through loss or theft: A USB stick containing customer data, contract details, or financial figures goes missing. Without encryption, the finder has immediate access to everything. The GDPR breach notification requirement kicks in, the company is publicly exposed as insecure, and the affected customers must be informed.

Malware infiltration: An employee brings a USB stick from home that is unknowingly infected with malware. Or an attacker places prepared USB sticks in the company parking lot (USB dropping). As soon as the device is connected to a company computer, the malicious software can compromise the entire network.

Uncontrolled data exfiltration: A disgruntled employee copies the complete customer database to a USB stick and takes it home. Without technical controls, there is no mechanism to prevent or even detect this.

Data remnants on disposed media: An external hard drive is decommissioned and passed on or disposed of without the data being securely erased. The data can be recovered with freely available tools.

A removable media policy addresses all of these risks through binding rules for usage, encryption, labeling, and disposal.

What the standards require

ISO 27001

Several controls in Annex A address removable media:

A.7.10 Storage media: Storage media must be managed throughout their entire lifecycle according to the organization's classification scheme and handling requirements. This includes procurement, use, transport, storage, and disposal.

A.8.12 Data leakage prevention: Data leakage prevention measures must be applied to systems, networks, and devices that process, store, or transmit sensitive information. Controlling removable media is a central building block of Data Leakage Prevention (DLP).

A.8.10 Information deletion: Information on storage media must be deleted when no longer needed, in a manner that prevents recovery.

NIS2

NIS2 requires appropriate security measures under Article 21. The uncontrolled use of removable media is a gap that an auditor will flag. The policy documents that you have identified and addressed this risk.

Scope and definition

The policy first defines which media are considered removable media:

• USB sticks (USB-A, USB-C)
• External hard drives and SSDs
• SD cards and microSD cards
• Optical media (CD, DVD, Blu-Ray)
• Memory cards from cameras and mobile devices
• External tape drives (for backup purposes)

The policy applies to all employees, external staff, and service providers who have access to the organization's IT systems as part of their work. It covers both company-owned and personal removable media.

Usage strategy: Allow, restrict, or prohibit

Every organization must make a fundamental decision: Will removable media be allowed, restricted, or prohibited?

Option 1: Complete ban

The safest option. USB ports are technically blocked for storage devices (USB keyboards and mice remain allowed). Data is exchanged exclusively via approved network paths, cloud services, or encrypted email.

Advantages: Maximum security, easy enforcement, no risk from lost or compromised media.

Disadvantages: Limits flexibility, workaround risk (employees use personal cloud services instead of USB), not practical for all workstations (production, field service).

Option 2: Restricted use

Removable media are generally prohibited, but there are defined exceptions for specific roles or use cases. Only company-provided, encrypted media are permitted. Personal media are prohibited.

Advantages: Balance between security and practicality. Controllable through endpoint management.

Disadvantages: Higher administrative overhead, exceptions must be managed.

Option 3: Controlled permission

Removable media are generally allowed, but only when defined security requirements are met (encryption, registration, virus scan). Personal media may be permitted under conditions.

Advantages: Least restriction on employees.

Disadvantages: Highest residual risk, harder to enforce, more training required.

For most mid-market companies, Option 2 is recommended as a pragmatic compromise: a general ban with controlled exceptions for legitimate use cases.

Technical safeguards

The policy defines the technical measures that IT must implement.

USB port control

Modern endpoint management solutions can control USB ports in a differentiated manner:

• Block USB storage devices
• Allow only approved (whitelisted) devices based on their hardware ID
• Continue to allow USB keyboards, mice, and headsets
• Log all USB connections

The policy requires that USB port control is active on all workstations and laptops and managed centrally.

Autorun deactivation

The automatic execution of programs when a removable medium is connected (autorun/autoplay) must be deactivated on all systems. This is a fundamental protective measure against USB-based malware and should be enforced via Group Policy (GPO).

Automatic virus scan

The policy requires that every removable medium is automatically scanned for malware upon connection, before file access is possible. The endpoint protection solution must be configured accordingly.

Encryption

All removable media containing company data must be encrypted. The policy defines:

Hardware encryption (preferred): USB sticks and external hard drives with built-in hardware encryption (e.g., FIPS 140-2 certified). Encryption is always active and cannot be bypassed by the user.

Software encryption: When hardware encryption is not available, the data must be encrypted with an approved encryption tool (e.g., BitLocker To Go, VeraCrypt). Minimum standard: AES-256.

Key management: The policy references the cryptography policy for handling encryption keys and ensures that if the media is lost, the key is not also lost.

DLP integration

If the organization uses a Data Leakage Prevention (DLP) solution, it must also monitor and, if necessary, block data transfers to removable media. The policy defines which data classifications may not be copied to removable media (e.g., "strictly confidential" is generally prohibited, "confidential" only on encrypted company media).

Registration and labeling

The policy requires that company-owned removable media are inventoried.

Asset register: Every medium issued by the company is recorded in an asset register — ideally as part of IT asset management: type, serial number/hardware ID, capacity, issue date, responsible person.

Labeling: Company-owned media are labeled with an inventory number and the company name (sticker, engraving).

Issuance and return: The policy defines who may request removable media, who issues them (IT department), and that they must be returned when no longer needed or when the employee leaves the organization.

Transport and storage

Transport: Removable media containing confidential data must not be left unattended (e.g., in a car, hotel room, or visibly on a desk). Special care is required when transporting them outside the organization.

Storage: Unused media are stored securely: in a locked cabinet or desk, not openly accessible.

Shipping: Shipping removable media by post or courier is only permitted for confidential data in encrypted form. The policy may additionally require insured shipping and a delivery confirmation.

Secure disposal

Disposal of removable media is a frequently overlooked risk. The policy must define clear rules.

Deletion

Simple deletion (moving files to the recycle bin, quick formatting) is not sufficient. The data can be recovered with freely available tools.

Secure deletion: Overwriting the entire medium with random data, at least once (one pass is sufficient for modern flash memory). Tools: NIST SP 800-88 compliant software.

Cryptographic erasure: For encrypted media, the encryption key can be destroyed. The data is then unreadable without the key. This method is fast and secure when correctly implemented.

Physical destruction

For media containing strictly confidential data or when secure deletion cannot be guaranteed:

• USB sticks and SD cards: Physical destruction (shredder, breaking the chip)
• Hard drives: Professional media destruction per DIN 66399, security level H-3 or higher
• Optical media: Shredder or breaking

Destruction is documented: date, type of medium, serial number (if available), destruction method, person responsible. For external destruction by a service provider, a certificate of destruction is obtained.

Reuse

Media intended for reuse must be securely wiped before being passed on. The policy specifies that simple formatting is not sufficient and which deletion method must be applied.

Handling found or unknown media

The policy must provide clear instructions for the case where an employee finds an unknown removable medium (in the parking lot, in a meeting room, received by mail):

Do not connect it. Under no circumstances should an unknown medium be connected to a company computer. Not even "just to take a quick look." No matter how curious you are.

Hand it to IT. The medium is handed over to IT or the CISO, who can examine it in an isolated environment.

Report the incident. If the medium was obviously placed deliberately (e.g., labeled with the company name despite not belonging to the organization), the incident is treated as a potential social engineering attack.

Exceptions and approval process

In practice, there are legitimate reasons for using removable media, even when the policy imposes a general ban:

• Data exchange with clients who offer no other option
• Technical maintenance of machines that can only be configured via USB
• Backup of systems without network connectivity
• Presentations at client sites when connecting your own laptop is not possible

The policy defines an exception process:

1. Request: The employee requests the exception from IT with a justification.
2. Review: IT checks whether a more secure alternative exists (cloud share, encrypted email, secure transfer platform).
3. Approval: If no alternative is possible, IT approves the use of an encrypted company medium for the specific use case.
4. Time limit: The approval is time-limited. After the purpose is fulfilled, the medium is returned and securely wiped.
5. Documentation: The exception is documented (who, why, which medium, which time period). In ISMS Lite, such exception approvals can be created as measures with deadlines and responsible persons, making them immediately verifiable in an audit.

Sample outline

1. Purpose and scope
2. Terms and definitions — Removable media, types, affected personnel
3. Normative references — ISO 27001 A.7.10, A.8.10, A.8.12, NIS2
4. Fundamental decision — Ban with exceptions, restricted use, or controlled permission
5. Approved media — Company media only, encrypted, registered
6. Technical safeguards — USB port control, autorun, virus scan, DLP
7. Encryption — Hardware encryption, software encryption, minimum standards
8. Registration and labeling — Asset register, inventory number
9. Transport and storage
10. Secure disposal — Deletion, physical destruction, documentation
11. Found or unknown media — Instructions for action
12. Exceptions and approval process
13. Responsibilities
14. Violations and consequences
15. Review and update
16. Effective date and approval

Training and awareness

Technical measures alone are not enough. Employees must understand why removable media pose a risk and how to handle them.

Introductory training: When the policy takes effect, all employees receive brief training on the fundamentals: what is prohibited, what is allowed, how does the exception process work, and why are unknown USB sticks dangerous?

Practical examples: Training should use real incidents as examples: ransomware infection via a USB stick, data loss from an unencrypted USB stick left on a train, a social engineering attack via USB dropping in a parking lot. Concrete stories stick in memory better than abstract rules.

Annual refresher: As part of general security awareness training, the topic of removable media is regularly revisited, especially when the policy has changed or a relevant incident has occurred.

Test scenarios: Some organizations conduct controlled USB dropping tests: prepared USB sticks (without malware but with tracking) are placed on company premises. Anyone who connects them to a computer receives a friendly training message instead of an attack. These tests provide valuable data about security awareness and should be conducted in coordination with the works council.

From policy to secure practice

USB sticks and external hard drives are not going to disappear from everyday work. But with a clear policy, technical enforcement, and regular training, the risk can be reduced to an acceptable level. The key lies in the combination of technical controls (USB port management, encryption) and organizational measures (policy, training, exception process).

ISMS Lite covers the complete policy lifecycle: you create the removable media policy with AI assistance, automatically version every change, collect digital acknowledgment from all employees, and have management sign off on the approval. This makes the policy a binding, verifiable component of your ISMS.

Further reading

• Classification policy: Confidential, Internal, Public
• Remote work policy: IT security when working from home
• Mobile device policy (BYOD/MDM)
• Creating an information security policy: Structure, content, and practice
• Policy lifecycle: From creation to retirement