portable memory device policy

[123tom]

Comments welcomed. Why are portable memory device use so commonly allowed at work? Especially, when the ability to manage these devices like iPads, Flash drive, USB Sticks and so on not in place? How can you be compliant for HIPPA, SOX or other laws and still not manage the use of portable memory?

 

[hilfy]

Everywhere I've worked that has to comply with these types of laws not only has policies in place, but also has things set up so that users either cannot connect to these types of USB memory devices or they monitor that these types of devices are in use. My current client (a large financial company) also does not allow the vast majority of users to send attachments outside of the company.

However, all of these are larger, more mature organizations that have string security policies and automated monitoring in place.

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.

 

[kmcferrin]

Disabling access to portable media/memory devices is trivial. Furthermore, the requirements of HIPAA (only one P) and SOX tend to be a little vague on the specifics. They talk a lot about best practices without saying what those practices are. As far as iPads/tablets, third-party computers, and so on, there are a number of security tools available that allow you to securely deliver applications to those devices while still preventing data leakage (usually through Citrix/RDP, VDI, or similar techniques).

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator