Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code). 

Priority: High   

Category: Personnel Security 

Services Associated with AWS:   

  • AWS Systems Manager, AWS IAM, AWS Security Hub 

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
  • Technical: screenshot of DLP technology, if applicable

Possible Technology Considerations : 

  • Data Loss Prevention (DLP) 

What needs to be answered :  

Do all portable storage devices have identifiable owners? Have unused removable media that contain support files been removed or disabled? Are only approved portable storage devices under asset management used to store CUI data? 

  • Prohibition of Unowned Portable Storage Device Usage
    Description: This check ensures that organizations have implemented policies and measures to prohibit the use of portable storage devices when such devices have no identifiable owner. Portable storage devices, such as USB drives or external hard disk drives, can introduce security risks if used without clear ownership and accountability. Requiring identifiable owners for these devices helps mitigate the risk of unauthorized use, introduction of malicious code, and lack of accountability.

More Details:   

Policies and training prohibit installation of unknown devices.