Objective:

Portable storage media such as USB drives, flash memory devices, CDs/DVDs and storage tapes that contain sensitive and confidential information should have reasonable measures to protect the confidentiality of the data. Portable devices might be used outside the campus and be connected to foreign computers, and are prone to loss and theft.


Guidelines:

  1. Downloading
    - Confidential information should only be downloaded to portable storage media with proper endorsement. The staff who downloaded the confidential information should take reasonable measures to protect the confidentiality.
     
  2. Storage and Transit
    - To protect the information from being leaked during transit, the data in the portable storage media should be encrypted. Most Office, zip and Acrobat tools support AES 256-bit encryption. Password for decryption should be sent to the recipient through a separate channel.
    - Physically label the portable storage media with contact information so that it could be returned to the owner if it is found.
     
  3. Using media in foreign computers
    - Extra care must be taken to connect the portable storage media to public computers or computers from an unknown source. Computers should have sufficient security measures, e.g. anti-virus software and firewall, installed.
     
  4. Loss and Theft
    - Loss and theft of the portable storage media should be reported to the custodian of the data as soon as possible.
     
  5. Disposal
    - Disposal of the portable storage media should be done when the data is completely removed or physically purged.



Tools:

Both VeraCrypt or BitLocker support AES 256-bit encryption, which is a standard adopted by the US government. Access to the encrypted volume or device is password protected. AES encryption to portable devices is done on-the-fly. For more information on VeraCrypt and BitLocker, please refer to Data Protection with VeraCrypt or Data Protection with BitLocker respectively.

Colleagues are welcome to join the IT training course "PC Protection & Information Security Overview" at IT Training for Staff to learn more about encryption.