ICT Management. > Making Policies & Best Practice

Don’t lose that (USB) stick

By ICT Champions

USB sticks are widely used but can present risks to your organisation. This ICT Champion briefing looks at the risks and how to avoid them.

USB memory sticks (also known as flash drives, pen drives or thumb drives) are a portable storage device that has quickly become a cheap and easy way to conveniently store files and transfer them from one computer to another.  However, USB memory sticks are also easily lost and damaged, can carry viruses, and are rarely secured with a password.   

The following suggested guidelines can help you identify the risks associated with using USB memory sticks and take measures to keep your systems secure and your data safe.  These guidelines could also be adopted as part of your organisation’s ICT Acceptable Use Policy. 

To ensure the organisation continues to be free from viruses and other types of malware please note the following:

• Personal keys are now allowed as long as we take the right precautions.
• External users can bring in their own keys as long as the keys are checked for viruses before being used
• The organisation also has a number of USB keys available for booking

Precautions to take before using a USB key

USB keys owned by the organisation or its staff must be checked for viruses after they have been used on any other system: this includes your own one at home and systems at any other organisation. Before using the USB key at any other organisation, it is also good practice to offer up the key for virus checking to your contact there. 

USB keys owned by an external user may be used on the organisations system but only after they have been checked for viruses. While external users may assure you that their keys are clean, please explain to them that this is procedure; if they want to use their key on our network they will understand that this is to be followed. 

Pass any USB keys for scanning to the IT Officer.

The scan will take place on a standalone computer not connected to the network, please note that if a virus is found on the USB key it will not be possible to use it on the network and files stored on the USB key may be deleted.

Protection of confidential files

Because USB keys are small and because they get used on many different systems, it is easy to leave behind files that ought to otherwise be removed.

This is not just about confidentiality but, in the case of home systems, helps with ensuring only one version of document is in existence at any time.

The following simple guide should help in protecting against these risks:

• always remove files from systems where a USB key has been used - including your own at home, if this applies - unless it is on a system provided by the organisation.
• always clean up a USB drive owned by the organisation before handing it back in
• always remove an of the organisations files from your own USB drive

Physical security of USB drives

The use of USB keys increases vulnerability in several areas - due to their compact nature portable devices may suffer from physical loss, theft or damage. In addition to the data contained on the drive this could compromise confidentiality.

• Never leave a USB key unattended on a desk or keyring and always remember to remove it from the PC or laptop when you have finished working.
• Any losses of USB keys shall be reported immediately to the IT Officer.
• No personal data relating to employees or clients or any business critical information, shall be stored on USB keys unless it is encrypted and you have the permission of the data owner.
• If you lose or have a USB key stolen which contains unencrypted personal data, you may be liable to prosecution under the Data Protection Act.
• If the USB key is used for transitional storage (for example copying data between computers or systems), the data shall be securely deleted from the device immediately upon completion.