Portable Media

Security Standard

Portable media such as thumb drives or external hard drives are easily lost or stolen and may cause a security breach. We strongly discourage placing private information on portable media.

Scope

This standard applies to anyone who uses portable media to store or transport Private or Confidential or Critical information.

Portable media includes, but is not limited to,CDs, DVDs, Flash Memory, portable hard drives, backup tapes, and any future portable media. (RIT-owned and privately-owned)

This standard does not apply to:

Non-digital forms of media including paper, audio or video tapes, etc. However, if this non-digital media contains Private or Confidential information it must be handled in accordance with the Information Access and Protection Standard.

Requirements

The following security controls are required to be applied to, enabled, and/or operating on all portable or removable media based on the classification of information below:

Private and Confidential Information
- All new portable media should support ISO-Approved Encryption Methods. A list of acceptable encryption methods is available on the RIT Information Security website at Encryption at RIT
- The information should be encrypted on portable media used for backups, archives, and transport.
- Portable media should be given reasonable physical protection from unauthorized use or theft.
- Media that is to be disposed of or transitioned to another user should be overwritten so that the information is no longer recoverable.This may require destruction of the media.
- Loss of portable media that contain Private or Confidential information or whose contents are unknown should be reported through the Incident Handling process
Critical Information
- Information that supports critical processes should not be placed solely on portable media.

Approved Portable Media

When handling RIT Private or Confidential information, you should use only portable media that provides an approved encryption level (the RIT Information Security Office requires 128-bit or 256-bit AES encryption).

Unacceptable Portable Media

USB media that doesn't include encryption.

Encryption of CDs, DVDs, Removable Hard Drives, and Other Portable Media

Please contact the RIT Information Security Office for recommended encryption methods.

Third Party Encryption Products

The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Private or Confidential information when transferred by or stored on portable media.

Media Disposal Recommendations

Media	Disposal Method
Paper	Use a shredder. Crosscut is preferred over a strip shredder.
CD, DVD, diskette, etc.	Use the media shredder (located at the RIT Service Center, 7B-1113).
Hard Drives	If the hard drive is to be reused, contact your support organization for recommendations for secure erasure. If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the RIT Service Center, 7B-1113). (Not for SSDs)
Tapes	Use the degausser (located at the RIT Service Center, 7B-1113).
Other	Use an industry standard means of secure disposal.

Media

Disposal Method

Paper

Use a shredder. Crosscut is preferred over a strip shredder.

CD, DVD, diskette, etc.

Use the media shredder (located at the RIT Service Center, 7B-1113).

Hard Drives

If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.

If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the RIT Service Center, 7B-1113). (Not for SSDs)

Tapes

Use the degausser (located at the RIT Service Center, 7B-1113).

Other

Use an industry standard means of secure disposal.

Effective Date:

September 1, 2008

Standard History:

May 15, 2008
November 11, 2013