3.1.21 has a weight of -1 points

(Access Control Family) 21/22

Limit use of portable storage devices on external system.



Video:

Example of Sysytem Security Plan (SSP):

    System Security Plan (SSP) Section for Control 3.1.21:

    Control: 3.1.21 – Limit the use of portable storage devices on external information systems.

    Implementation:

    The organization has established a policy that prohibits the use of portable storage media on external systems. This policy is outlined in both our IT use and cyber security documentation. The following measures detail our approach:

    1. Prohibition and Restrictions:

      • The default stance of our organization is a complete prohibition on the use of organization-controlled portable storage devices on external systems.

      • Exceptions, if any, are limited and clearly outlined in our IT use and cyber security policy. These exceptions consider both the nature of the data being transferred and the security posture of the external system.

    2. Definition of External Systems:

      • While “external” typically implies systems outside of our organization’s immediate authority and supervision, for the purpose of this control, the term is more expansive.

      • Within our organization’s infrastructure, there exist systems designated for processing Controlled Unclassified Information (CUI) and others that are not. Even among systems that do process CUI, there are delineated access restrictions. As such, any system that isn’t explicitly authorized to access a specific segment of CUI is treated as “external” to that data, regardless of whether it belongs to our organizational infrastructure.

    3. Oversight and Auditing:

      • Our IT and cybersecurity teams routinely monitor the use of portable storage devices. Any violations of the aforementioned policy result in immediate action, up to and including revocation of system access and disciplinary measures.

      • Audits are conducted periodically to ensure compliance and to identify potential areas of improvement.

     

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions & Milestones (POA&M) for Control 3.1.21:

    Control: 3.1.21 – Limit the use of portable storage devices on external information systems.

    1. Milestone: Development and Approval of Policies

    • Action: Ensure the IT use and cybersecurity documentation prohibiting the use of portable storage media on external systems is up-to-date and approved by the executive leadership.
    • Expected Completion Date: [Specify date]
    • Responsible Party: IT Department Head, Cybersecurity Officer
    • Status: [In Progress/Completed/Not Started]

    2. Milestone: Staff Training and Awareness

    • Action: Conduct an organization-wide training session about the policy and the importance of not using portable storage devices on external systems.
    • Expected Completion Date: [Specify date]
    • Responsible Party: HR and IT Training Teams
    • Status: [In Progress/Completed/Not Started]

    3. Milestone: Continuous Monitoring System

    • Action: Implement a monitoring system to detect and alert on any unauthorized use of portable storage devices on external systems.
    • Expected Completion Date: [Specify date]
    • Responsible Party: IT and Cybersecurity teams
    • Status: [In Progress/Completed/Not Started]

    4. Milestone: Audit Procedures

    • Action: Develop a detailed auditing procedure to periodically assess the effectiveness of the controls in place for limiting the use of portable storage devices.
    • Expected Completion Date: [Specify date]
    • Responsible Party: Internal Audit Team
    • Status: [In Progress/Completed/Not Started]

    5. Milestone: Reporting Mechanism for Violations

    • Action: Implement a mechanism for employees and other stakeholders to report violations or potential risks associated with portable storage devices.
    • Expected Completion Date: [Specify date]
    • Responsible Party: IT Department and Cybersecurity teams
    • Status: [In Progress/Completed/Not Started]

    6. Milestone: Review and Refinement

    • Action: Conduct a semi-annual review of the policy and its effectiveness, making adjustments as needed based on evolving technological and organizational contexts.
    • Expected Completion Date: [Specify date]
    • Responsible Party: Cybersecurity Officer, IT Department Head
    • Status: [In Progress/Completed/Not Started]

     

    Portable Storage Device Usage Policy:

    Portable Storage Device Usage Policy

    1. Purpose and Scope

    This policy outlines the guidelines and conditions under which portable storage devices may be used in connection with external systems. It aims to protect the organization’s data, especially Controlled Unclassified Information (CUI), from unauthorized access, disclosure, and transfer.

    2. Definitions

    • Portable Storage Device: Any removable electronic storage medium including, but not limited to, USB drives, external hard drives, SD cards, and other flash storage devices.

    • External Systems: Information systems not under the organization’s direct supervision and authority. Within the scope of CUI, any system not explicitly authorized to process specific CUI data segments will also be considered “external,” regardless of its organizational affiliation.

    3. Policy Statement

    • General Prohibition: By default, the use of organization-controlled portable storage devices on external systems is prohibited.

    • Exceptions: Any exceptions to this rule are to be limited and will require explicit prior approval from the IT and Cybersecurity departments. Approved exceptions will consider both the nature of data and the security status of the external system.

    4. Usage Restrictions and Conditions (For Approved Exceptions)

    1. Data Transfer: When transferring CUI to a portable storage device, ensure the data is encrypted in transit and at rest.

    2. Storage Limitation: CUI should not be stored on portable storage devices for longer than necessary. Once the purpose is achieved, the data must be securely deleted from the device.

    3. Device Security: Devices should be free from malware, and up-to-date with the latest security patches.

    5. Responsibilities

    • All staff are responsible for following this policy and related procedures.

    • The IT and Cybersecurity departments are responsible for granting exceptions, overseeing policy adherence, and conducting periodic reviews.

    6. Violations

    Non-compliance with this policy can result in:

    • Revocation of system access privileges.

    • Disciplinary action, up to and including termination of employment.

    • Potential legal ramifications depending on the nature of the data breach or disclosure.

    7. Review and Updates

    This policy will be reviewed annually by the Cybersecurity and IT departments. Amendments will be made as deemed necessary, based on technological advancements, changes in legal regulations, or organizational needs.

    8. Approval

    This policy has been approved by:

    [Organization’s Executive/Leadership Name]

    Date: [Date]

    Please note that while this is a comprehensive draft policy, the specific needs, risks, and context of your organization should be considered. It’s advisable to consult with your IT and legal departments or other relevant stakeholders before finalizing and implementing the policy.

     

    RELEVANT INFORMATION:

    Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.