USB and Removable Media Policy

IT & Security Security Policies Last reviewed: 2025-08-20 Owner: IT Security Team

Purpose

Removable storage media such as USB flash drives, external hard drives, SD cards, and optical discs pose significant security risks, including data exfiltration, malware introduction, and loss of sensitive information. This policy defines the controls governing the use of removable media on Global Bank corporate devices.

Policy Reference: IT-SEC-005
Effective Date: 1 January 2025
Review Date: 1 January 2026
Applies To: All employees, contractors, and third-party users with access to Global Bank devices or networks

General Principle

The use of removable storage media is restricted by default on all Global Bank corporate devices. USB mass storage access is disabled through Group Policy and endpoint security controls. Exceptions are granted only where a legitimate business need exists and approved alternatives (such as secure file transfer or cloud storage) are not suitable.

Approved Removable Media

Only the following removable media devices are approved for use at Global Bank:

DeviceSpecificationIssued By
Kingston IronKey D500SFIPS 140-3 Level 3, hardware encrypted, 256-bit AES-XTSIT Security Team
Kingston IronKey Vault Privacy 80ESExternal SSD, FIPS 197 certified, hardware encryptedIT Security Team

No other USB storage devices, including personal USB drives, are permitted to be connected to corporate devices. Approved devices are pre-registered in the endpoint management platform and will be automatically recognised when connected.

Requesting Removable Media Access

  1. Log in to the IT Service Portal at servicedesk.globalbank.com.
  2. Navigate to Request a Service > Removable Media Access.
  3. Complete the request form, including:
    • Business justification for removable media use
    • Type of data to be transferred (include classification level)
    • Duration of access required
    • Confirmation that approved cloud or network alternatives are not suitable
  4. Your line manager and the IT Security Team must both approve the request.
  5. Upon approval, the IT Security Team will issue an approved encrypted device and whitelist your corporate laptop for removable media access for the specified duration.

Usage Rules

  • Approved removable media devices must only be used for the specific purpose stated in the approved request.
  • Only data classified as Internal or Confidential may be transferred to approved removable media. Restricted data may never be placed on removable media without explicit written approval from the CISO.
  • Data must be encrypted before transfer. Approved IronKey devices provide hardware encryption automatically.
  • Files must be securely deleted from the removable device once the transfer is complete and the data is no longer needed on the device.
  • Approved devices must not be connected to non-corporate computers or shared with other individuals.
  • Approved devices must be returned to the IT Security Team once the approved usage period has expired.

Prohibited Activities

  • Connecting any personal or unapproved USB storage device to a corporate computer.
  • Using removable media to transfer Restricted data without CISO approval.
  • Attempting to bypass USB port restrictions using software or hardware adapters.
  • Connecting removable media received from external parties (clients, vendors, couriers) without first having the media scanned by the IT Security Team.
  • Leaving removable media unattended or unsecured at any time.

External Media from Third Parties

If you receive a USB drive, CD/DVD, or other removable media from an external party, do not connect it to your corporate device. Instead:

  1. Deliver the media to the IT Security Team (Floor 4, Room 4.12, London HQ) or your local IT office.
  2. IT Security will scan the media in an isolated environment for malware and verify the contents.
  3. If the media is clean, IT Security will transfer the files to a secure network location and notify you.

Lost or Stolen Devices

If an approved removable media device is lost or stolen:

  1. Report the loss immediately to the IT Security Team at itsecurity@globalbank.com or Ext. 2200.
  2. Also report to the IT Service Desk to log an incident (see IT Incident Reporting Procedure, IT-INC-001).
  3. Provide details of the data that was stored on the device so that IT Security can assess the risk and determine whether a data breach notification is required.

Non-Compliance

Violation of this policy may result in immediate revocation of removable media privileges, confiscation of the device, and disciplinary action. Deliberate data exfiltration via removable media may constitute gross misconduct and will be reported to the relevant authorities.

Contact

  • IT Security Team: itsecurity@globalbank.com | Ext. 2200
  • IT Service Desk: servicedesk@globalbank.com | Ext. 2000

Related Articles

Clean Desk Policy

Policy requiring all employees to secure sensitive documents and materials at their workstations, ensuring a clean desk at the end of each working day.

Updated 2025-06-15

Data Classification Policy

Policy defining the four data classification levels at Global Bank, along with handling requirements, labelling standards, and storage rules for each level.

Updated 2025-10-01

Email Security Guidelines

Guidelines for the secure use of corporate email, including encryption requirements, external communication rules, and data loss prevention controls.

Updated 2025-09-05