Does your organization physically secure all removable media containing unencrypted sensitive information?
Explanation
Removable media (USB drives, external hard drives, SD cards, etc.) containing unencrypted sensitive data presents a significant security risk if lost or stolen.
Physical security measures such as locked drawers, safes, or secure rooms help prevent unauthorized access to these devices when not in use.
Evidence of compliance could include documented physical security policies specific to removable media, photographs of secure storage locations with identifying information redacted, logs of media check-in/check-out procedures, or results from internal audits verifying proper storage of removable media containing sensitive information.
Implementation Example
Physically secure removable media containing unencrypted sensitive information, such as within locked offices or file cabinets
ID: PR.DS-01.227
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-at-rest are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?
- Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

