3.8.8 has a weight of -3 points

(Media Protection Family) 8/9

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Video:

Example of System Security Plan (SSP):


    System Security Plan (SSP) for Control 3.8.8
    Prohibition of Unidentifiable Portable Storage Devices


    1. Control Overview:
    Control 3.8.8 is dedicated to prohibiting the use of portable storage devices that lack identifiable ownership. Such a measure is crucial for preventing unauthorized data transfer, mitigating potential security risks, and ensuring the confidentiality and integrity of our systems.


    2. Purpose:
    To establish a stringent security boundary by disallowing the use of unmarked or unidentified portable storage devices within our infrastructure.


    3. Implementation:

    3.1 Device Identification:
    All organization-issued portable storage devices are distinctly marked or labeled, indicating both organizational ownership and the user assigned, if applicable.

    3.2 Strict Prohibition:
    No employee or affiliated individual is permitted to insert or use unmarked or personal portable storage devices on the company’s systems or devices.

    3.3 Unidentified Device Protocol:
    Upon discovery of any unidentifiable portable storage device within our premises, it should be immediately handed to the IT department. The IT department is then responsible for its secure and immediate destruction to avert potential security risks.

    3.4 Device Management:

    • The Facility Security Officer (FSO) exclusively oversees the issuance of organization-approved portable storage devices.
    • An inventory control log, managed by the FSO, tracks device issuance, return dates, and unique identifiers.
    • Post-usage, all devices are returned to the FSO for sanitation and a reset to a factory state.

    3.5 Personal Device Policy:
    Only organization-procured and issued portable storage devices are permitted for use, thereby entirely disallowing personal devices.


    4. Training and Awareness:
    Employees undergo regular training sessions concerning this control, ensuring comprehensive understanding and compliance. The emphasis is on the potential security risks associated with unidentifiable devices.


    5. Monitoring and Review:
    This control will be evaluated and reviewed annually by the IT and cybersecurity teams to confirm its continued relevance and effectiveness against emerging threats.


    Document Approved by:
    [Name, Title, Date]


     

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions & Milestones (POA&M) for Control 3.8.8
    Prohibition of Unidentifiable Portable Storage Devices


    1. Issue/Weakness Identification:
    Lack of clear identification on portable storage devices can lead to potential security breaches or misuse of company resources.

    2. Objective:
    All portable storage devices within the organization should be clearly marked and identifiable to ensure that no unidentifiable devices are used, thereby mitigating potential security risks.


    3. Actions & Milestones:

    3.1 Procurement of Device Identification Tags:
    Action: Order custom identification tags/stickers for portable storage devices that include the organization’s logo and a unique identifier.
    Deadline: [Specific Date]

    3.2 Tagging Existing Devices:
    Action: Once the identification tags are received, organize a device return drive where employees bring in their issued storage devices for tagging.
    Deadline: [Specific Date + 1 Month]

    3.3 Training Session:
    Action: Hold a training session to educate employees about the importance of using only identifiable devices, the risks of unidentifiable devices, and the new identification system.
    Deadline: [Specific Date + 2 Months]

    3.4 Policy Update:
    Action: Update the IT and cybersecurity policy to reflect the use of identification tags on portable storage devices.
    Deadline: [Specific Date + 3 Months]

    3.5 Device Inspection Drives:
    Action: Organize regular (e.g., quarterly) device inspection drives to ensure all devices in use are properly tagged. Any unidentified device found during these drives will be handled per the Unidentified Device Protocol.
    Deadline: [Specific Date + 4 Months and Ongoing]


    4. Responsibility Assignments:
    4.1 Procurement Team: Order and receive device identification tags.
    4.2 IT Department: Lead the device tagging drive and update IT policies.
    4.3 HR/Training Department: Organize training sessions.
    4.4 FSO (Facility Security Officer): Oversee the entire process, ensuring compliance and maintaining the inventory log.


    5. Review and Monitoring:
    Action: Monthly review meetings to monitor progress, address any challenges, and adjust deadlines if necessary.
    Start Date: [Specific Date + 1 Month]

    Example Company Policy: Control over Portable Storage Devices):

    Company Policy: Control over Portable Storage Devices

    Document No.: CP-3.8.8
    Effective Date: [Insert Date]
    Revision No.: 01
    Review Date: [Insert Date – typically one year from Effective Date]
    Approved By: [Name/Title/Department]

    1. Purpose:
    To ensure the security and integrity of company data by regulating the use of portable storage devices and ensuring that only identifiable and authorized devices are used within the company.

    2. Scope:
    This policy applies to all employees, contractors, and third parties who use or have access to company-owned and operated information systems.

    3. Policy:

    3.1 Only company-provided and approved portable storage devices may be used on company systems.

    3.2 All company-provided portable storage devices must be clearly labeled with the owner’s name and relevant Controlled Unclassified Information (CUI) markings.

    3.3 Personal portable storage devices are prohibited from being connected to company systems.

    3.4 If any employee finds an unidentifiable or unmarked portable storage device within company premises:

    • They must not insert or connect it to any device.
    • It should be immediately handed over to the IT department.

    3.5 The IT department is responsible for securely destroying any unidentifiable portable storage devices to prevent potential security breaches.

    3.6 The procurement department shall ensure all newly procured portable storage devices come with secure tags for identification purposes.

    3.7 Regular training and awareness sessions will be conducted by the IT department to ensure employees are familiar with this policy and the associated security risks.

    4. Violations:
    Any employee found violating this policy may be subject to disciplinary action, up to and including termination of employment.

    5. Policy Review:
    This policy will be reviewed annually or as deemed necessary by the company’s management.

     

    RELEVANT INFORMATION:

    Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.