Require Encryption on Portable Media

Yes, under CyberSecure Canada 6.4.3.1(b) portable media encryption requirements, organizations that permit portable media must mandate the use of encryption on all such devices to protect data at rest.

Portable media includes any removable storage capable of holding data, such as USB flash drives, SD cards, micro-SD cards, external hard drives, and solid-state drives used to transfer or store files.

Organizations can enforce USB drive encryption by deploying endpoint management policies (like Intune or Group Policy) that block write access to unencrypted drives, or by exclusively issuing hardware-encrypted USB drives. Tools like WatchDog Security's Compliance Center can track implementation status and store configuration exports or screenshots as evidence for auditors.

Administrators can require BitLocker To Go by configuring the 'Deny write access to removable drives not protected by BitLocker' setting in Windows Group Policy, ensuring users cannot save files to unencrypted media.

To group policy block unencrypted USB storage devices, IT can configure endpoint protection platforms or mobile device management (MDM) tools to either completely block USB mass storage or restrict write access to encrypted volumes only.

Industry best practices typically require AES-128 or AES-256 bit encryption. For higher security environments, utilizing FIPS validated encryption for removable media (such as FIPS 140-2 or 140-3 certified hardware drives) is strongly recommended.

Organizations should automatically back up BitLocker To Go recovery keys to a centralized directory, such as Active Directory or Microsoft Entra ID, ensuring IT can recover data if an employee forgets their password.

Yes. CyberSecure Canada requires organizations to mandate the sole use of organization-owned secure media. Employee-owned (BYOD) drives should be strictly prohibited for work data.

Acceptable audit evidence for portable media encryption control includes a documented portable media encryption policy template, screenshots of enforced Group Policy or Intune settings, and asset inventories listing hardware-encrypted drives. Tools like WatchDog Security's Compliance Center can centralize these artifacts, link them to CSC-06-023, and flag missing evidence over time.

On macOS, organizations can use MDM tools to enforce FileVault or require that external drives are formatted with APFS Encrypted. Linux devices can leverage LUKS (Linux Unified Key Setup) to encrypt external hard drives for business use.

Auditors often expect proof that the encryption requirement is formally documented and communicated to staff who may use removable media. Tools like WatchDog Security's Policy Management can help by maintaining version-controlled policies, collecting employee acknowledgements, and producing acceptance reports when evidence is requested.

Maintaining a list of approved, encrypted portable media helps demonstrate that only compliant devices are issued and used for business data transfers. Tools like WatchDog Security's Asset Inventory can record assigned devices and owners, while WatchDog Security's Compliance Center can link the inventory and procurement records to this control as audit evidence.