Purpose
Preventing the use of removable media (USB drives, CDs, external hard drives) is crucial for preventing data theft and malware infection. This standard will define the responsibilities and rules around USB storage devices in relation to Level 3 – Confidential Data, as defined in the FIU Data Classification Standard.
Any department, business unit, or college that store, process, or transmit Level 3 - Confidential data is prohibited from using removable media on any information system handling Level 3 data. Exceptions may be granted for a documented business justification only by receiving written approval from the assigned Data Steward and the Division of Information Technology Security Office. All approved exceptions must be time-bound and are subject to annual review. Technical controls, including but not limited to Device Media Control mechanisms, must be implemented on endpoints confidential Level 3 data.
Scope and Authority
This standard applies to all departments, units, and colleges that store, process, or transmit Level 3 – Confidential Data, as defined in the FIU Data Classification Standard. It applies to all university-owned or managed information systems that handle such data. This standard applies to all faculty, staff, students, contractors, third parties, and any persons of interest granted authorized access to covered systems or Level 3 - Confidential Data.
Roles and Responsibilities
Chief Information Security Officer (CISO)
- Approves and maintains this standard
- Defines institutional risk tolerance related to removable media
- Serves as final authority for high-risk or extended exceptions
- Accepts documented residual risk where appropriate
- Reports material risk posture to executive leadership
Division of Information Technology Security Office
- Implements and maintains Device Media Control mechanisms
- Establishes encryption and configuration standards on authorized removable media devices
- Reviews and approves exception requests
- Maintains an exception registry
- Monitors removable media activity
- Investigate violations and incidents
- Provides audit evidence and compliance reporting
Loss, theft, or suspected compromise of removable media containing institutional data must be reported immediately to the Division of IT Security Office and handled in accordance with the institutional Incident Response Plan.
All removable media must be sanitized or destroyed in accordance with FIU Media Sanitization Standard. Removable media found without a known owner should be turned in to the IT Security Office for sanitization.
Department IT Administrator (ITA)
- Ensures endpoints are properly configured and managed
- Implements approved exceptions
- Verifies encryption and configuration standards
- Reports suspected misuse or compromise
- Supports audit and compliance activities
Department IT Administrators may not independently authorize removable media usage.
Data Owner
- Determines data classification
- Approves or denies business justification for exceptions
- Ensures risk impact is evaluated
- Reviews approved exceptions annually
Data Owner approval does not override institutional enforcement requirements.
System Owner
- Ensures systems under their authority enforce Device Media Control requirements
- Confirms compliance during periodic reviews
- Coordinates remediation of identified gaps
Data Steward (Authorized Users)
- Comply with all removable media restrictions
- Use only approved and encrypted devices
- Do not bypass security controls
- Immediately report lost, stolen, or compromised media
Failure to comply may result in disciplinary action in accordance with university policy.
Requirements for Approved Removable Media
- Must have a minimum of AES-256 encryption
- Must be an Information Technology Security Office approved USB device
- Data must be accessed from a managed device.
Examples of Approved Removable Media
- Docking stations
- Encrypted USB thumb drive approved by the Division of Information Technology Security Office
- Keyboards
- Mice
- Presentation remote
Examples of Prohibited Removable Media
- Cell phones in USB storage mode
- CD/DVD drives
- External USB hard drives
- SD/microSD cards
- USB thumb drives
- Any USB storage media that allows reading or writing of files and folders