Use Only Organization-Owned Secure Media

A removable media policy defines acceptable use, handling, and technical restrictions for portable storage devices like USB drives. Organizations need a removable media policy to prevent data theft, accidental data loss, and the introduction of malware. Tools like WatchDog Security's Policy Management can help version the policy, collect attestations, and retain acceptance records for audits.

Yes, under CyberSecure Canada 6.4.2.1 requirements, organizations must mandate the sole use of organization-owned secure portable media if such devices are permitted in the workplace.

Portable media includes USB flash drives, external hard drives, secure digital (SD) cards, and any other removable storage devices used to transfer or store files.

Enforcement involves a mix of policy acknowledgment, employee training, and technical device control software that blocks endpoint USB ports from reading or writing to unapproved devices. This ensures you control removable media in the workplace effectively.

Yes, CyberSecure Canada expects portable media to be secure. Section 6.4.3.1 specifically requires the use of encryption on all portable media devices, establishing a baseline encrypted USB drive policy for businesses.

Organizations should maintain a removable media asset inventory tracking system that records device serial numbers, assigned users, encryption status, and the business justification for the device. Tools like WatchDog Security's Asset Inventory can centralize those device records and assignments, and WatchDog Security's Compliance Center can link the inventory evidence to this control during audits.

Removable media malware prevention controls include endpoint security solutions that automatically scan all mounted drives for malware upon insertion, as well as device control policies to block unauthorized devices entirely.

Limit the use of portable media to strictly necessary offline transfers, use hardware-encrypted drives, restrict copy and paste permissions where possible, and ensure sensitive data is deleted securely immediately after the transfer is complete.

Organization-owned portable media should be physically labeled with asset tags, stored in locked cabinets when not in use, and transported securely, ensuring passwords or encryption keys are never kept with the physical drive.

Organizations must follow a documented portable media handling and disposal procedure that includes cryptographic erasure, multi-pass software wiping, or physical destruction like shredding before disposing of the device.

Auditors typically expect to see an approved removable media policy, an inventory of organization-owned portable media with assignments and serials, and evidence that endpoints block or restrict unauthorized devices. Tools like WatchDog Security's Compliance Center can help organize and map that evidence to CSC-06-021 so it is audit-ready.

Exception handling should document the business justification, define safeguards (encryption, approvals, time limits), and record risk acceptance where needed. Tools like WatchDog Security's Risk Register can document and track the risk treatment plan, while WatchDog Security's Policy Management can maintain the exception workflow and approvals alongside the governing policy.