NIST 800-171 - Authorized Media Use (3.8.8)

Overview:
Prohibit the use of portable storage devices when such devices have no identifiable owner.

Action Items:
3.8.8[a]
Determine if: the use of portable storage devices is prohibited when such devices have no identifiable owner.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system configuration settings and associated documentation; system design documentation; system audit logs and records; other relevant documents or records].

2
Interview: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].

3
Test: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].

Related Documents (document name and content will vary by organization):
1) System media protection policy
2) system use policy
3) procedures addressing media usage restrictions
4) system security plan
5) rules of behavior
6) system configuration settings and associated documentation
7) system design documentation
8) system audit logs and records
9) other relevant documents or records

Additional Guidance:
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).