3.8.8 — Prohibit the Use of Portable Storage Devices When Such Devices Have No Identifiable Owner

If someone finds a random USB drive in the parking lot or a conference room, it should never end up plugged into one of your systems. This practice says that any portable storage device without a known, identifiable owner is prohibited from use.

Example 1: Establish a company policy that all USB drives must be issued and tracked by IT. Maintain an asset inventory of approved USB drives with serial numbers linked to specific employees. Any USB drive not in the inventory is confiscated and turned over to IT for analysis — never plugged into a production system.

Example 2: Include this requirement in your annual security awareness training. Use a real-world example like the 2008 Agent.btz attack (a USB-based worm that compromised DoD networks) to drive home why unknown USB devices are a serious threat. Track training completion in your LMS as evidence of policy communication.