3.9
IG2 IG3

Encrypt Data on Removable Media

Control Group: 3. Data Protection
Asset Type: Data
Security Function: Protect

Description

Encrypt data on removable media.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Data Breach via Lost USB Drive or External Media

Confidentiality

An unencrypted USB drive, external hard drive, or backup tape containing sensitive data is lost or stolen, exposing all contents to whoever finds it.

Malicious Media Swap Attack

Integrity

An attacker swaps a legitimate removable media device with one containing modified data, compromising data integrity when the tampered media is used for data transfer or backup restoration.

Vulnerabilities (When Safeguard Absent)

Unencrypted Removable Media

Removable storage devices used to transport or back up sensitive data lack encryption, meaning physical possession equals full data access.

No Policy Governing Removable Media Encryption

Without mandatory encryption requirements for removable media, users make ad-hoc decisions about whether to encrypt, typically defaulting to no encryption.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually