I'm curious about how other IT departments are handling removable storage governance and restrictions, especially when compliance is a factor like SOC II or SOX. We're a small business with about 600 users and 3 IT staff, primarily using Windows and employing CrowdStrike solutions. Recently, we invested in their device control solution to impose restrictions. After surveying our staff, we found that nearly 25% have valid needs for removable storage since we're an engineering firm that often requires USB thumb drives for tasks like installing firmware and collecting logs. I've created a workflow to manage the exceptions for those users within CrowdStrike's exclusion policy for compliance, but I'm wondering how others are addressing similar challenges. Do you have any specific solutions or strategies you've found effective?
1 Answer
It can be tricky, but consider only allowing known or encrypted USB drives. If users typically download files from managed devices, having that log of activities can be a solid control measure. Just make sure no unknown USBs are allowed in; that way, you keep track of what's being used.
That’s definitely a consideration for us too. We might even issue approved drives as a step forward after we get the larger group sorted out. It’s a bit of a process since our devices run Linux for firmware updates and log collection.