Secure Portable Media: Fillable template and example

Fillable template: Portable media policy DOCX, 40 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Portable media policy DOCX, 247 KB

Examples provide sample text to help learners complete a template.

Organization name or letterhead

Portable media policy

January 1, 2021

Disclaimer

[instructions: cybersecure Canada has developed this template for your use in relation to certification requirements for the secure portable media security control area. It provides guidance as to how information can be organized and documented for certification. Cybersecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.]

Template instructions

[instructions: the purpose of this template is to help users to meet the certification requirements for the secure portable media security control area for cybersecure Canada.

Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.

It is recommended that users review the eLearning module for secure portable media and the completed example of this policy.]

Revision history

[instructions: it is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.]

The secure portable media policy has been modified as follows:

Date

Version

Modification

Modifier

[date edited]

[document version]

[description of changes made]

[name of the editor]

Scope

[instructions: determine to whom in your organization this policy will apply.

Insert your scope statement or use the example below.]

This policy shall apply to all employees of [organization name], and any other personnel interacting with systems and servers associated with portable media within [organization name].

Creation and use of portable media

[instructions: determine who will issue portable media in your organization.

Determine usages of portal media within your organization.

Determine how portable media content will be secured.

Insert your policy statements related to the creation and use of portable media. Alternatively, you can use the example provided.]

  1. {insert person or role} is responsible for the issuance of portable media device for employee usage.
  2. Authorized {insert organization name} portable media devices will be used to:
    1. Store company information
    2. Connect to company systems
  3. {insert organization name} provided portable media is not to be plugged into employees' personal devices.
  4. {insert organization name} provided portable media and its use will be tracked.
  5. {insert organization name} provided portable media will use encryption to ensure data and information is protected.
  6. {insert organization name} portable media remains the property of the organization.

Disposal of portable media

[instructions: Canadian cyber centre has made publicly available guidelines on the disposal of portable media.

Determine who will be responsible for the disposal of portable media.

Determine how portable media will be disposed of and what actions will be taken to verify if content has been removed.

Insert your policy statements related to the disposal of portable media. Alternatively, you can use the example provided.]

  1. {insert person or team} is responsible for the disposal of portable media.
  2. {insert user/s} are to return portal media to the IT department for disposal.
  3. {insert organization name} provided portable media will be sanitized or destroyed before disposal.
  4. {insert organization name} laptops must have their hard drive and flash storage removed and destroyed, prior to being recycled or sold.

Enforcement

[instructions: determine who will be responsible for enforcing this policy and the methods of doing so.

Insert your enforcement statements below or use the example provided.]

{insert organization name} is responsible for issuing portable media devices and providing training on its usage to all employees. Training must include key sections of this policy including issuance, use, and disposal of {insert organization name} portable media devices.

It is the responsibility of each employee to adhere to this policy when using portable media.

References

Canadian centre for cyber security – itsp.40.006 it media sanitization: https://cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006

Additional certification requirements

Portable media sanitization/destruction process

[instructions: provide your organization's process for the sanitization or destruction of portable media before disposal.]