Information Security Policies,
Procedures, Guidelines
Revised December 2017 Page 87 of 94
APPENDIX E SECTION 4. REMOVABLE MEDIA: ACCEPTABLE USE POLICY
This policy must be followed to safeguard both personal and State information and
applies to all State employees and anyone using State computer systems, including
other State agency staff, contract staff and vendors. All State entities must take
measures to ensure that encryption procedures are consistently implemented. The use
of third party tools to enforce this policy is one approved alternative; the use of Windows
technologies, such as Active Directory Group Policy and native Windows encryption
utilities, is another option. This policy represents a minimum standard. Agencies are free
to use stricter standards deemed appropriate.
1. USB ports are essential for most personal computers and are universally allowed to
support the connection of keyboards and mice. USB ports can also be used for
approved peripheral devices.
2. The following Removable Media Devices must be "State owned assets" and
controlled through an authorized approval process: flash drives, external hard
drives, memory sticks, audio/video devices (tablets, iPods, MP3 players or similar
hybrid devices), smartphones, cell phones or cell phone hybrids, micro drives and
non-standard PDAs. The controls that apply to connecting devices by USB also apply
to other methods of connecting these devices and failure to comply with such controls
will also violate this policy. Examples of other connection methods include but are
not limited to: Bluetooth, Infrared, Firewire, Serial/Parallel ports, Optical
(CD/DVD/Blu-ray), eSATA, or SCSI.
3. The level of encryption on any Removable Media Device is required to be tailored to
confidentiality requirements for the data on the device. A data classification
process compliant with FIPS 199
1
is required before deciding on the level of
encryption for a media device. The security personnel affiliated with the agency along
with the agency leadership will be responsible for the execution and accuracy of the
data classification. After the data on the device is classified, the following apply:
a. Data that is not determined to be sensitive data, as defined below, is allowed
to reside on an unencrypted device. The Office of the Director of Compliance must
device and if the Director of Compliance disapproves of any use of such non-
encrypted device, the device will not be used until encrypted. The possibility of
the presence of sensitive data will mandate the use of an encrypted device.
b. When used in this policy, "sensitive data" is defined as any data that includes
Personal Identity Information (Pll), information deemed confidential by the nature
of the agency's business, or information regulated by federal, state, and local
regulations. Personal identity information includes social security numbers, tax
identification numbers, bank account numbers, credit card numbers, personal
health information (PHI) and drivers' license numbers. Current and former State
employee personal contact information, such as home telephone numbers and
addresses and information related to electronic communication devices are
considered sensitive information by State statute. If any external regulations
apply to the data on the device, the device owners are required to comply with
the stricter regulation applicable to the data.