3.1.21—Access Control - Derived
>Control Description
>Discussion
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while "external" typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not.
Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered "external" to that system.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies limit use of portable storage devices?
- •What approval process exists for portable storage device usage?
- •How do you communicate portable storage restrictions to users?
- •Who approves exceptions for portable storage use?
- •What training addresses portable storage security risks?
Technical Implementation:
- •What technical controls restrict portable storage device usage?
- •How do you prevent unauthorized USB or external storage devices?
- •What device control solutions are implemented?
- •How are approved portable devices identified and whitelisted?
- •What monitoring detects unauthorized portable storage use?
Evidence & Documentation:
- •Can you show device control policies and configurations?
- •What logs demonstrate blocked unauthorized storage devices?
- •Can you provide a list of approved portable storage devices?
- •What evidence shows portable storage restrictions are enforced?
- •What audit findings verify portable storage controls?
Ask AI
Configure your API key to use AI features.