The purpose of this policy is to define standards, procedures, and restrictions for end users who have legitimate business requirements to connect portable removable media to any infrastructure within Richman Investments internal network or related technology resources. This removable media policy applies to, but is not limited to all devices and accompanying media that fit the following device classifications:
• Portable USB-based memory sticks, also known as flash drives, thumb drive, jump drives, or key drives.
• Memory cards in SD, CompactFlash, Memory Stick, or any related flash-based supplemental storage media.
• USB card readers that allow connectivity to a PC.
• Portable MP3 and MPEG-playing music and media player-type devices such as IPods with internal flash or hard drive based memory that supports a data storage function.
• PDAs, cell phone handsets, and smart phones with internal flash or hard drive based memory that support a data storage function.
• Digital cameras with internal or external memory support.
• Removable memory based media, such as DVDs, CDs, and floppy disks.
• Any hardware that provides connectivity to USB devices through means such as wireless (Wi-Fi, WiMAX, IrDA, Bluetooth, among others) or wired network access.
This policy applies to any hardware and related software that could be used to access corporate resources, even if said equipment is not corporately sanctioned, owned, or supplied. The overriding goal of this policy is to protect the confidentiality, integrity, and availability of resources and assets that reside within Richman Investments technology infrastructure. A breach could result in loss of information, damage to critical applications, loss of revenue, and damage to the company’s public image. Therefore, all users employing the use of removable media and/or USB-based technology to back up, store, or otherwise access corporate resources of any type must adhere to company defined processes for doing so.
This policy applies to all Richman Investment employees, including full and part time staff, contractors, freelancers, and other agents who utilize either company owned or personally owned removable media and/or USB-based technology to store, back-up, relocate, or access any organization owned asset or network resource. Employment at Richman Investments does not automatically guarantee the initial and ongoing ability to use these devices within the enterprise technology environment. It addresses the following threats:
Threat Description
Loss Devices used to transfer or transport work files could be lost or stolen.
Theft Sensitive corporate data is deliberately stolen and sold by an employee.
Copyright Software copied onto portable memory device could violate licensing.
Spyware Spyware or tracking code enters the network via memory media.
Malware Viruses, Trojans, Worms, and other threats could be introduced via external media.
Compliance Loss or theft of financial and/or personal and confidential data could expose the enterprise to the risk of non-compliance with various state and federal regulations.

Addition of new hardware, software, and/or related components to provide additional USB-related connectivity within corporate facilities will be managed at the sole discretion of IT. Non-sanctioned use of USB-based hardware, software, and/or related components to back up, store, or otherwise access any enterprise-related data is strictly forbidden.
All USB-based devices and the USB ports used to access workstations and other related connectivity points within the corporate firewall will be centrally managed by Richman Investments IT department and will utilize encryption and strong authentication measures. Although IT is not able to manage the external devices (such as home PCs) to which the memory resources will also be connected, end users are expected to adhere to the same security protocols when connected to non-corporate equipment. Failure to do so will result in immediate suspension of all network access privileges to protect the company’s infrastructure.
It is the responsibility of any Richman Investments employee using any type of removable media or connecting a USB-based memory device to the organizational network to ensure that all security protocols normally used in the management of data on conventional storage infrastructure are also applied here. It is imperative that any portable memory that is used to conduct Richman Investments business be utilized appropriately, responsibly, and ethically; failure to do so will result in immediate suspension that of user’s account. Based on this, the following rules must be observed:
1. IT reserves the right to refuse, by physical and non-physical means, the ability to connect removable media and USB devices to corporate and corporate-connected infrastructure. IT will engage in such action if it feels such equipment is being used in such a way that it puts the company’s system, data, users, and clients at risk.
2. End users who wish to connect such devices to non-corporate network infrastructure to gain access to enterprise data must employ, for their devices and related infrastructure, a company approved personal firewall and any other security measure deemed necessary by the IT department.
3. Employees using removable media and USB-related devices and related software for data storage, back up, transfer, or any other action within Richman Investments technology infrastructure will, without exception, use secure data storage and management procedures. A simple password is insufficient.
4. All removable media and/or USB-based devices that are used for business interests must be pre-approved by IT, and must employ reasonable physical security measures. End users are expected to secure all such devices used for this activity whether or not they are actually in use and/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices whenever they contain enterprise data. Any non-corporate computers used to synchronize with these devices will have installed whatever anti-virus and anti-malware deemed necessary by Richman Investments IT department. Anti-virus signature files on any additional client machines, such as a home PC, on which this media will be used must be updated in accordance with company policy.
5. All removable media will be subject to quarantine upon return to the office before they can be fully utilized on the enterprise infrastructure.
6. Richman Investments IT department will support its sanctioned hardware and software, but is not responsible for conflicts or problems caused by the use of unsanctioned media. This applies even to devices already known by the IT department.
7. Employees will make no modifications of any kind to company owned and installed hardware and software without the express approval of Richman Investments IT department. This includes, but is not limited to, reconfiguration of USB ports.
8. IT may restrict the use of Universal Plug and Play on any client PCs that it deems to be particularly sensitive.
9. IT reserves the right to disable USB ports to limit physical and virtual access.
10. IT can and will establish audit trails in all situations it feels merited. Such trails will be able to track the attachment of an external device to a PC, and the resulting reports may be used for investigations of possible breaches and/or misuse. The end user agrees to and accepts that his or her access and/or connection to Richman Investments networks may be monitored to record dates, times, duration of access, etc., in order to identify unusual usage patterns or other suspicious activity.

Failure to comply with the Removable Media Acceptable Use Policy may, at the full discretion of the organization, result in the suspension of any and all technology use and connectivity privileges, disciplinary action, and possibly termination of employment.

This policy is effective immediately. Any and all employees who use removable media and/or USB-related devices must bring them to IT for approval and to ensure that they meet the required criteria.