In order to manage the risks associated with the use of portable data storage media by staff and students, while enjoying the benefits of greater mobility and flexibility, the Management should consider the following dimensions of security practice:
Policies and procedures should be developed to clearly outline the roles and responsibilities with respect to the use and management of portable data storage media for university's data.
- Establish a portable data storage system security policy, which encompasses both university-issued and privately owned portable data storage media. This security policy should also be integrated into university's overall IT security framework and rigorously enforced.
- Review and consequently revise or update the university's portable data storage system security policy, particularly in light of the availability of new data storage technologies, and in the wake of security incidents involving portable data storage systems.
- Develop a set of handling procedures to cover the entire life-cycle of portable data storage devices, including acquisition, deployment, use, to disposal.
- Limit or prohibit the connection of privately owned portable data storage devices to university's IT systems. For university's sensitive data, rigorous access control procedures should be implemented to prevent unauthorised data access, modification and leakage.
- Consider establishing a centralised encryption key and password repository system to achieve efficient management of authentication information and avoid accidental loss of encryption keys or passwords
Applying security controls to counter the security risks caused by human mistakes and negligence is critical for securing the portable storage media used by university. Sufficient staff and student awareness and training programs should be offered by university to achieve the following objectives:
- Identify and communicate roles and responsibilities of staff and students in securing their portable storage media.
- Inform staff and students of the risks associated with the use of portable storage media and consequence when those threats are exploited by malicious parties.