AC-19(3) — Use of Portable Storage Devices with No Identifiable Owner

Do not allow portable storage devices without an identifiable owner. If you find a USB drive in the parking lot, do not plug it into anything — it could be a deliberate attack.

Example 1: Maintain an inventory of all organization-issued USB devices with serial numbers mapped to assigned users. Any USB device not in the inventory is prohibited. Include this in your asset management database and review quarterly.

Example 2: Include USB attack awareness in your security training. Teach employees to never plug in found USB devices and to report them to security. Conduct periodic red team tests by dropping labeled USB drives in common areas and tracking who plugs them in.