Portable media such as thumb drives or external hard drives are easily lost or stolen and may cause a security breach. We strongly discourage placing private information on portable media.
This standard applies to anyone who uses portable media to store or transport Private or Confidential or Critical information.
Portable media includes, but is not limited to,CDs, DVDs, Flash Memory, portable hard drives, backup tapes, and any future portable media. (RIT-owned and privately-owned)
This standard does not apply to:
Non-digital forms of media including paper, audio or video tapes, etc. However, if this non-digital media contains Private or Confidential information it must be handled in accordance with the Information Access and Protection Standard.
The following security controls are required to be applied to, enabled, and/or operating on all portable or removable media based on the classification of information below:
Private and Confidential Information
All new portable media should support ISO-Approved Encryption Methods. A list of acceptable encryption methods is available on the RIT Information Security website at Encryption at RIT
The information should be encrypted on portable media used for backups, archives, and transport.
Portable media should be given reasonable physical protection from unauthorized use or theft.
Media that is to be disposed of or transitioned to another user should be overwritten so that the information is no longer recoverable.This may require destruction of the media.
Loss of portable media that contain Private or Confidential information or whose contents are unknown should be reported through the Incident Handling process
Information that supports critical processes should not be placed solely on portable media.
Approved Portable Media
When handling RIT Private or Confidential information, you should use only portable media that provides an approved encryption level (the RIT Information Security Office requires 128-bit or 256-bit AES encryption).
Unacceptable Portable Media
USB media that doesn't include encryption.
Encryption of CDs, DVDs, Removable Hard Drives, and Other Portable Media
Please contact the RIT Information Security Office for recommended encryption methods.
Third Party Encryption Products
The RIT Information Security Office requires 128-bit or 256-bit AES encryption to protect RIT Private or Confidential information when transferred by or stored on portable media.
Media Disposal Recommendations
Use a shredder. Crosscut is preferred over a strip shredder.
CD, DVD, diskette, etc.
Use the media shredder (located at the RIT Service Center, 7B-1113).
If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.
If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the RIT Service Center, 7B-1113). (Not for SSDs)
Use the degausser (located at the RIT Service Center, 7B-1113).
Use an industry standard means of secure disposal.