3.9
IG2 IG3

Encrypt Data on Removable Media

Control Group: 3. Data Protection
Asset Type: Data
Security Function: Protect

Description

Encrypt data on removable media.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)
Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license
Forcepoint DLP Forrester Wave Strong Performer, Data Security 2023

Data-centric security platform with DLP across endpoint, network, cloud, and email with risk-adaptive protection

Forcepoint · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Data Breach via Lost USB Drive or External Media

Confidentiality

An unencrypted USB drive, external hard drive, or backup tape containing sensitive data is lost or stolen, exposing all contents to whoever finds it.

Malicious Media Swap Attack

Integrity

An attacker swaps a legitimate removable media device with one containing modified data, compromising data integrity when the tampered media is used for data transfer or backup restoration.

Vulnerabilities (When Safeguard Absent)

Unencrypted Removable Media

Removable storage devices used to transport or back up sensitive data lack encryption, meaning physical possession equals full data access.

No Policy Governing Removable Media Encryption

Without mandatory encryption requirements for removable media, users make ad-hoc decisions about whether to encrypt, typically defaulting to no encryption.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Encryption Policy
Control 3
Acceptable Encryption Standards
Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.3 Configure Data Access Control Lists
3.4 Enforce Data Retention
3.5 Securely Dispose of Data
3.6 Encrypt Data on End>User Devices
3.7 Establish and Maintain a Data Classification Scheme
3.8 Document Data Flows
3.10 Encrypt Sensitive Data in Transit
3.11 Encrypt Sensitive Data at Rest
3.12 Segment Data Processing and Storage Based on Sensitivity
3.13 Deploy a Data Loss Prevention Solution
3.14 Log Sensitive Data Access
3.8 3.10