AC-19(2) — Use of Personally Owned Portable Storage Devices

Personally owned portable storage devices — like someone's personal USB drive — should not be used on organization systems. You do not know where that drive has been.

Example 1: Include a clear prohibition on personal USB devices in your Acceptable Use Policy. Enforce it technically by only allowing organization-provisioned, encrypted USB drives (like IronKey or Apricorn Aegis) through device ID whitelisting in your endpoint protection tool.

Example 2: In Microsoft Defender for Endpoint, configure Device Control → Removable Storage Access to allow only USB devices with approved vendor IDs and product IDs. All other USB storage devices are blocked and the attempt is logged. Review block events monthly for policy violations.