Saturday, August 30, 2008

Re: USB Drive Policy

"You're kidding, right? A policy on USB drives? Back in the "old days" did we
have policies on floppy disks?"


More than a few did. These kinds of policies often exist in the space between when a technology becomes available and a suitable level of protection and social norming can be sorted out.

External Storage represents 4 basic threats: Malicious code (i.e. viruses) ,bootable infrastructure (i.e. OS or web browsers to hide activity or circumvent controls), inappropriate content (i.e. porn, illegal music sharing), theft of IP or sensitive information (i.e. download student database or all papers for a given class).

The expectation is that all of these should be dealt with by schools making a policy unnecessary.

1. Have antivirus per machine and enough network monitoring to raise red flags if something gets through.
2. Lock down BIOS/Firmware to prevent booting and reasonable proxy/firewall controls to prevent circumvention.
3. Discipline policy handling bringing inappropriate material to school regardless of whether it comes on a flash drive, in a magazine, or on a widget that has yet to be invented.
4. Controls on school critical info.

None of these systems has to be, or can expected to be bullet-proof as long as you are making reasonable efforts towards them, you do not need a USB policy. If you do not have the budget, time, or expertise to implement them, then you may need guidelines on USB usage to remind people of the polices they could be violating through USB flash usage. Policies focus on behavior and should be timeless, guidelines clarify policy in relation to specific technologies.

Sadly every non-academic environment I have worked in has had policies/prohibitions on external storage devices. So schools have an opportunity to be ahead of the curve on this, at least until they are force take up more loco parentis/law enforcement duties.

http://news.cnet.com/8301-10784_3-9940361-7.html

_J

[ For info on ISED-L see http://www.gds.org/ISED-L ]
Submissions to ISED-L are released under a creative commons, attribution, non-commercial, share-alike license.
RSS Feed, http://listserv.syr.edu/scripts/wa.exe?RSS&L=ISED-L