S 2.401 Handling of mobile data media and devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, User

Depending on the technical design, a large amount of data can be exchanged at high data rates using mobile data media. The number of different types of mobile data media available was also relatively limited up until a few years ago. Only removable data media such as diskettes or CDs were available in the past to exchange data, but in the meantime there is a wide variety of mobile data media available, and they are not always immediately recognisable as data media. For example, wristwatches and devices used to play music with integrated memory are now available. The most commonly used size of integrated data storage in this case starts at a few hundred megabytes, but can easily reach several gigabytes.

For this reason, some basic aspects should be taken into account when handling removable data media and mobile devices. The following must be clarified:

• which mobile data media are permitted to be used in the organisation (see also S 2.9 Ban on using non-approved hardware and software),
• which are actually in use and who is using them (e.g. using inventory lists as described in S 2.2 Resource management),
• which data is allowed to be stored on mobile data media and which data is not (see also S 2.217 Careful classification and handling of information, applications and systems),
• how the data stored on these mobile data media will be protected against unauthorised access, tampering, and loss,
• with which persons outside the company the data media may be exchanged and what security regulations must be followed when exchanging data media (see also module S 5.2 Exchange of data media),
• how to prevent the mobile data media from being used to obtain information without authorisation, and
• how to prevent malware from being spread via the mobile data media.

Furthermore, it must be clarified if employees will be permitted to use their own private mobile data media and devices in the organisation and vice versa, i.e. if employees may store and use private data on corporate mobile data media and devices. Likewise, it must also be clarified if external personnel are permitted to use the mobile data media and devices they bring in to the organisation, for example to exchange files.

The more restrictive the security policies for handling mobile data media and devices, the more limited you are when working with the data media. For this reason, all security policies should be examined to ensure they are appropriate.

The number of types and variations of data media will increase further in the future. Data media will become increasingly "invisible" because they will be integrated into other devices. The security policies for handling mobile data media and devices should be examined regularly to check if they are still up to date, starting with checking if all types of data media currently used are listed.

Mobile data media can become lost or stolen easily when being out of the organisation. For this reason, confidential information should be stored in encrypted form on mobile data media. The best solution is to use encryption products that ensure all data stored on the mobile data media is automatically encrypted (see also S 4.29 Use of an encryption product for portable IT systems).

All IT systems should be equipped with a boot lock that prevents booting from external media such as diskettes, CD-ROMs, or USB sticks so that software cannot be installed or changes cannot be made to the configuration without being subject to any controls. Additional information on this subject can be found in safeguard S 4.4 Correct handling of drives for removable media and external data storage.

The procedure deemed appropriate by the organisation in question should be documented and recorded in a security policy for the employees. To reduce the risks involved in using mobile data media to an appropriate level, it makes sense to implement various technical safeguards (see, for example, S 4.200 Handling of USB storage media or S 4.232 Secure use of extended memory cards), but this alone is not enough. It is essential to make the employees aware of these issues accordingly.

Review questions:

• Is the use of private mobile data media and IT components regulated?