CIS Control 3.9: Encrypt Data on Removable Media
Removable media—USB drives, external hard drives, SD cards—represent a critical data loss vector if lost or stolen unencrypted. CIS Control 3.9 requires encryption of all data on removable media to prevent unauthorized access. This control is essential for protecting sensitive information outside your network perimeter.
What this means
CIS Control 3.9 mandates that any data stored on removable media must be encrypted using strong encryption standards. This includes USB flash drives, external hard drives, optical media, and memory cards. The control ensures that even if removable media is lost, stolen, or accessed by unauthorized personnel, the data remains protected and unreadable without proper decryption keys.
How to comply
- 1.Establish a removable media encryption policy requiring AES-256 or equivalent encryption standard
- 2.Select and deploy full-disk encryption tools compatible with your operating systems (BitLocker for Windows, FileVault for macOS, LUKS for Linux)
- 3.Create a centralized key management process to securely store and control encryption keys
- 4.Configure endpoint protection to automatically encrypt removable media upon connection
- 5.Restrict removable media access to authorized users through group policies and access controls
- 6.Train staff on secure removable media handling and encryption procedures
- 7.Conduct quarterly audits to verify all removable media in use is encrypted
- 8.Document encryption configurations and key management procedures for audit evidence
Evidence auditors look for
- Documented removable media encryption policy signed by management
- Encryption software deployment logs showing coverage across all endpoints
- List of approved encryption tools and their configuration settings
- Key management procedures and secure storage location documentation
- Endpoint protection configuration reports verifying automatic encryption
- Access control rules limiting removable media use to authorized roles
- Employee training records on removable media security practices
- Audit logs confirming encryption status of sampled removable media devices
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically inventories removable media across your endpoints and flags unencrypted devices, automatically monitoring your CIS 3.9 compliance status in real-time without manual audits.
See how GRCWatch handles this control automatically
Start free trial