Management of Removable Media
Obviously this presents two clear risks, loss of information and corruption of information or introduction of unknown software when the device is reintroduced onto the organisations network.
If no longer required, information should be deleted/destroyed and made unrecoverable. If necessary authorisation should be required and records of this kept. Cryptography should be considered in order to protect from loss of data. If the media is being removed for backup purposes, it should be stored separately (think co-location) to remove the risk of correlated threats, but security should be considered for off site storage, and multiple copies could be considered on discrete devices to protect against degradation of the data. Removable drives should only be permitted as a concious choice to accept rather than the other way around. IT departments need to be aware that enabling the USB sockets on the CEOs computer for ease of use is often the most straightforward way for a 3rd party to gain access (physically or logically) to the organisations network.
Documented procedures are required to cover the handling of removable media.
Disposal of Media
This should be done securely and disposal records should be kept. If devices containing sensitive data are damaged it should be a consideration to physically destroy them rather than sending them to a third party for repair.
Physical Media Transfer
If subcontracted, a list of approved carriers / couriers should be maintained and procedures put in place for the identification of those couriers. Logs of identification of information, time of transfer and receipt should be maintained – this should form part of the procedures.