Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23921	STO-DRV-060	SV-28877r2_rule		Medium

Description
Failure to maintain proper control of storage devices used in sensitive systems may mean the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.

Description

Failure to maintain proper control of storage devices used in sensitive systems may mean the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.

STIG	Date
Removable Storage and External Connections Security Technical Implementation Guide	2017-09-25

Details

Check Text ( C-29526r2_chk )
Further policy details: This requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred. Reclaimed media and drives will be scanned for malicious activity and wiped immediately when the data is no longer needed. Reclamation procedures: 1. Insert or access device. 2. Scan device with organization approved security scanning software. 3. Wipe device using organization approved disk wipe software. Check procedures: 1. Interview the site representative. 2. Verify the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered. If security scanning software and disk wipe software are not used on reclaimed or recovered storage devices, this is a finding.

Check Text ( C-29526r2_chk )

Further policy details:

This requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred.

Reclaimed media and drives will be scanned for malicious activity and wiped immediately when the data is no longer needed.

Reclamation procedures:
1. Insert or access device.
2. Scan device with organization approved security scanning software.
3. Wipe device using organization approved disk wipe software.

Check procedures:

1. Interview the site representative.
2. Verify the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered. If security scanning software and disk wipe software are not used on reclaimed or recovered storage devices, this is a finding.