What is USB Lockdown in the RESPEC Environment?
USB Lockdown is the application of technology controls with staff computers that prevent USB devices from being recognized and accessible when plugged into a computer.
What devices are affected?
Any device that recognizes as a “USB Storage Device” will not be allowed to connect to a computer through a USB port. This would include, Cameras, SD cards, External Hard Drives, Smart Phones, Thumb Drives, and many other types of devices.
Why are we doing this?
RESPEC is continuously staying as up to date on security measures to prevent data breaches or lost time from malicious bad actors when planning and executing our technology infrastructure. External storage devices represent a large vulnerability in an organization. Additionally, RESPEC has a goal of increasing our DFARS compliance score which requires a level of control over storage devices in our organization.
Types of USB Devices and rules for each
There are several frequently used USB devices in the RESPEC environment. Some of the most common use cases are outlined below with our specific approach to limiting and approving their use.
Employee Phones being connected via USB
How is it used?
Employees who use their personal cellular device for work often take photographs of client locations with their device. The photos are used in project work and need to be transferred from their device into their project folders.
How is it blocked?
All smart phone devices will be blocked from accessing USB ports on employee computers. Exceptions to this will not be allowed.
How do employees work around this?
RESPEC has implemented Mobile Application Management (MAM) for smart devices. This allows certain apps such as OneDrive to be used to securely import data from your phone into the work related app. Data is not allowed to be exported from the apps to the phones. This presents a reasonable work around for the need to plug a device in and download photos.
Employees can connect their device to RESPEC_Guest WiFi and use the Microsoft OneDrive app to upload multiple photos as once to their OneDrive cloud account. Once this is done they can access all the photos in their OneDrive account and transfer them into project folders.
For more information on this see our solutions article on Using One Drive with your Smart Phone
SD Cards for Drones, Camera, other RESPEC owner equipment
How is it used?
Several employees in RESPEC use SD cards inserted into drones to capture photographic data that will be used for modeling in projects. The SD cards used will be switched regularly to capture project data and users will have the need for several at a time to be allowed to move data from them to RESPEC computers for processing.
How is it blocked?
All SD cards are blocked unless specifically white listed as an allowed SD card using it’s unique serial number
How do employees work around this?
Request an SD card be added to the white list of SD cards. Users should be utilizing the same SD cards on a regular basis and not need to often request exceptions in the white list for their use.
Requires CITS approval for exceptions both temporary and permanent
Small Flash Storage Devices (Thumb Drives)
How is it used?
Some clients may require project proposal data to be placed on a thumb drive and sent to them. These devices should be brand new and can temporarily be allowed to enable data to be placed on the device.
How is it blocked?
All thumb drives are blocked unless specifically white listed as an allowed thumb drive using it’s unique serial number
How do employees work around this?
For project work, users will need to procure a USB drive to deliver to our customer, request a temporary exception when we are ready to deliver. CITS will provide a 48 hour exception for the drive to be accessible. Project will be copied to the drive and delivered to our customer.
Thumb drives for general purpose use or to move files around the office will not be provided and exception.
Requires CITS approval for temporary exceptions and VP and CIO approval for permanent
External Hard Drive Usage
How is it used?
Users may have stored GIS or project data on an external drive in the past and may want to be continuing to do this.
How is it blocked?
This is blocked by the system and all external drives will not be used.
How do employees work around this?
If there is data on a drive that needs to be accessed then CITS may provide a temporary exception for the drive so that users can migrate the data to another storage location on the network. Permanent drive exceptions will not be allowed unless there is a strong use case we do not have a work around for.
Requires VP and CIO approval for temporary or permanent exception
All USB Storage devices not addressed specifically
How is it used?
Depending on the scenario there may be a need to plug a unique drive into a system and access data.
How is it blocked?
These drives by default will strictly be blocked from use. The main purpose of blocking USB is to prevent unknown USB devices from being attached to our systems that could contain malicious code.
How do employees work around this?
Depending on the specific business need and work arounds that may be acceptable for bypassing the need we may not unblock the device, we may issue a temporary exception, or we may give a permanent exception. These scenarios need to be submitted to CITS for review and will require CITS management approval, and the users manager approval.
Requires VP and CIO approval for temporary and permanent exception
Getting an exception for a USB device to be accessible
Permanent Exceptions
SD Card for drone, camera or other misc. RESPEC approved gear and/or client data gathered and used on a regular basis
Temporary Exception Examples
External DVD drive to allow project data to be transferred to disc (when cloud sharing is absolutely not allowed by the client)
Thumb drive to allow project data to be transferred to disc (when cloud sharing is absolutely not allowed by the client)