Data security is the primary motivation that leads most of our customers to design CRU removable drives into their computing infrastructure and workflows. (BTW, when people use the term ‘removable drives’ or ‘removable media’, that also can include external hard drives connected via USB, thumb drives, SD/CF cards, and even CDs and DVDs. But we use the term to mean rugged devices that are designed to be inserted and removed 10s of thousands of times in their lifetime.)
Agencies and organizations that use our removables have strict policies on how to physically secure their data at rest, including when a drive should be removed from its compute host and locked up or otherwise secured. The SHIPS platform has the potential to stretch those policies since the high-speed SHIPS modules can be used in a variety of devices that go beyond use cases for traditional removables.
If your organization does not have a policy on how to manage removable media, you should develop one. Removable media is one vector through which viruses, spyware, and other malware are introduced into an organization. Having such a policy provides the guardrails needed for employees to understand their role in data security.
The plan needs to apply to employees, visitors, vendors, contractors—in short, anyone who has access to your computer systems and network. Your removable media policy may be part of a broader peripheral devices policy that includes printers, scanners, VOIP phones, fax machines (yes, they’re still used), and so on. All of these devices have the potential to contain sensitive information that needs to remain within an organization or be available only to authorized personnel.
In addition to defining roles and responsibilities in the policy, the policy needs to define the devices it covers. You might want to outline the risks associated with user access to your networks, computers, and devices, as well as the various security levels of information (protected, restricted, confidential, and so on) and what devices or personnel are authorized to have access.
Any applicable policies and procedures that apply to your organization’s storage and data movement practices should be addressed. Incorporate responsibilities for encryption, virus-checking, malware-prevention, and other security-related software and practices.
Include the policy governance—who is accountable for what, who is responsible, informed, and consulted; address review and revision requirements, audit controls, and any other organizational policy practices.
While it is important that policies are documented, it is equally (perhaps more) important that all affected adhere to data security policies and practices. People are the primary cause of data security issues. When safe data practices are normalized in organizational culture, the more resistant and resilient the organization will be.
Director of Marketing