Level 2
Description:
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
Priority: High
Domain: MEDIA PROTECTION (MP)
Category: Personnel Security
Services Associated with AWS:
- AWS Systems Manager, AWS IAM, AWS Security Hub
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Resource Manager (ARM)
- Azure Policy
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
- Technical: screenshot of DLP technology, if applicable
Possible Technology Considerations :
- Data Loss Prevention (DLP)
What needs to be answered :
Do all portable storage devices have identifiable owners? Have unused removable media that contain support files been removed or disabled? Are only approved portable storage devices under asset management used to store CUI data?
Checks for AWS
- Prohibition of Unowned Portable Storage Device Usage
Description: This check ensures that organizations have implemented policies and measures to prohibit the use of portable storage devices when such devices have no identifiable owner. Portable storage devices, such as USB drives or external hard disk drives, can introduce security risks if used without clear ownership and accountability. Requiring identifiable owners for these devices helps mitigate the risk of unauthorized use, introduction of malicious code, and lack of accountability.
Checks for Azure
- Prohibition of Unowned Portable Storage Device Usage:
Description: Similar to the AWS check, this policy ensures that organizations have implemented measures to prohibit the use of portable storage devices (e.g., USB drives, external hard disk drives) that do not have identifiable owners. Having identifiable owners for such devices helps in mitigating the risk of unauthorized use, introduction of malicious code, and lack of accountability. - Removal or Disabling of Unused Removable Media:
Description: This policy check verifies whether unused removable media, including support files, have been properly removed or disabled. Unused removable media can pose security risks, as they might contain sensitive data or outdated information that could be exploited if left unattended. - Approval of Portable Storage Devices under Asset Management for Storing CUI Data:
Description: This policy ensures that only approved portable storage devices, which are part of the organization's asset management system, are used for storing Controlled Unclassified Information (CUI) data. By controlling the types of devices used for sensitive data storage, the organization can enforce better security practices and reduce the risk of data breaches. - Data Loss Prevention (DLP) Implementation: Description: This policy checks for the presence and proper configuration of Data Loss Prevention (DLP) technology in the Azure environment. DLP technology helps prevent the accidental or intentional exfiltration of sensitive data from the organization's systems and applications. The policy verifies that DLP is implemented and operational as an additional layer of protection for data.
More Details:
Policies and training prohibit installation of unknown devices.