Removable Media Standards

Overview 

To protect the University’s information systems and sensitive data, strict guidelines have been established for the use of removable media (e.g., USB drives, external hard drives, SD cards). These devices can pose serious security risks if not managed properly. Norwich University discourages the use of removable media unless there is a legitimate business need.   This document outlines the University's standards for the use, handling, and approval of removable media. 

Definition 

Removable Media includes any portable storage device that can be connected to a computer to read or write data. This includes, but is not limited to: 

  • USB flash drives (thumb drives) 

  • External hard drives 

  • SD cards 

  • Writable CDs/DVDs 

  • Portable solid-state drives (SSDs) 

 

Key Standards 

1. Approval Required 

  • All removable media must be approved by the Office of the CIO before being used with any University-owned system. 

  • Unauthorized use of removable media is strictly prohibited. 

  • Norwich ITS provides SecureData drives that are Approved due to their encryption and security controls.  

  • Removable Media devices that cannot be provided via Secure Data due to restrictions on encryption MUST be approved by Norwich ITS and documented before use. 

2. Data Encryption 

  • All removable media approved for storing or transferring University data must be encrypted. 

3. No Storage of Sensitive Data 

  • Removable media must not be used to store or transfer: 

  • Personally Identifiable Information (PII) 

  • Protected Health Information (PHI) 

  • Payment card data (PCI) 

  • Confidential student records (e.g., under FERPA) 

  • If there is a legitimate business need, the Office of CIO must authorize the use and oversee proper safeguards. 

4. Loss or Theft Reporting 

  • If removable media is lost or stolen, it must be reported to ITS immediately. 

  • The University reserves the right to conduct incident investigations and take appropriate actions in response. 

5. Secure Disposal 

  • When no longer needed, removable media must be: 

  • Wiped securely using ITS-approved data destruction tools, or 

  • Physically destroyed and disposed of through an ITS-approved process. 

How to Request Removable Media Approval 

To request approval for removable media use: 

  1. Submit a request through the Norwich ITS Ticketing System (TDX). 

  1. Include details about the intended use, data type, and duration. 

  1. Norwich ITS will review and approve or deny based on security and compliance considerations and issued an appropriate SecureData Drive.