MP-7(1) — Prohibit Use Without Owner

Portable storage devices without an identifiable owner should not be used on your systems. If you find a random USB drive in the parking lot, plugging it in could introduce malware or be an intentional social engineering attack.

Example 1: Include a section in your security awareness training about the danger of unknown USB devices. Train employees to never plug in found or unidentified media. Instead, they should turn it in to IT security for safe inspection on an isolated workstation.

Example 2: Label all company-owned USB devices with asset tags or engravings that include the organization name and an asset number. Configure your endpoint protection to block USB devices that do not match your approved device list. Any unlabeled device is treated as unauthorized.