Removable Media Encryption
Purpose
This document provides evidence that Onramp enforces controls over portable and removable media devices to protect sensitive data. It covers encryption requirements, device access policies, and configuration evidence required to demonstrate compliance during an audit.
Ownership
Responsible Team: Engineering Primary Owner: VP of Engineering - Jacob Ditslear Secondary Owner: Staff Engineer - Kevin Mulcrone Reviewer: Chief Operating Officer - Nick Delozier
Frequency & History
This document should be reviewed at least annually and whenever changes are made to endpoint management policies or device access controls.
Version History
| Date | Reviewer | Summary of Changes |
|---|---|---|
| YYYY-MM-DD | NAME | Initial creation |
Policy Overview
Onramp's approach to removable media falls into one of the following categories. Select the applicable strategy and provide the corresponding evidence below.
| Strategy | Description | Applicable |
|---|---|---|
| Block removable media entirely | Write access to USB and external storage devices is disabled via MDM/endpoint policy | Yes / No |
| Encrypt removable media | Data written to removable media is automatically encrypted via OS or endpoint controls | Yes / No |
| Removable media not in use | Organization does not use removable media; compensating controls are in place | Yes / No |
Option A: Block / Prevent Write Access
If the organization blocks write access to removable media devices, provide configuration evidence below.
MDM / Endpoint Management Configuration
MDM Platform: (e.g. Jamf, Kandji, Intune, Fleet)
| Setting | Configured Value | Expected Value | Compliant |
|---|---|---|---|
| USB storage write access | Blocked | Yes / No | |
| External disk write access | Blocked | Yes / No | |
| Bluetooth file transfer | Blocked | Yes / No | |
| SD card write access | Blocked | Yes / No |
Evidence Collection Instructions
- Navigate to the MDM console and locate the device restriction or storage policy
- Capture a screenshot showing the removable media restrictions are active and applied
- The screenshot should include:
- Policy name
- Restriction settings for USB / external storage
- Scope of devices the policy is applied to
- Date the policy was last modified
Evidence
Screenshot 1 — MDM Policy Configuration
Description: Replace with a brief description (e.g. "Kandji device restriction profile blocking USB storage write access")
Captured on YYYY-MM-DD — Description of what the screenshot shows.
Screenshot 2 — Policy Assignment / Scope
Description: Replace with a brief description (e.g. "Policy applied to all company-managed macOS devices")
Captured on YYYY-MM-DD — Description of what the screenshot shows.
Option B: Enforce Encryption on Removable Media
If the organization allows removable media but enforces encryption, provide evidence below.
Encryption Controls
| Control | Method / Tool | Configured | Compliant |
|---|---|---|---|
| FileVault / BitLocker on external disks | Yes / No | Yes / No | |
| Forced encryption on USB write | Yes / No | Yes / No | |
| Endpoint DLP requiring encryption | Yes / No | Yes / No |
Evidence Collection Instructions
- Capture a screenshot of the endpoint or DLP policy enforcing encryption on removable media
- The screenshot should include:
- Policy name and encryption requirements
- Scope of devices affected
- Enforcement action (block unencrypted writes, prompt user, etc.)
Evidence
Screenshot 1 — Encryption Policy
Description: Replace with a brief description (e.g. "Intune policy requiring BitLocker encryption on removable drives")
Captured on YYYY-MM-DD — Description of what the screenshot shows.
Option C: Removable Media Not in Use
If the organization does not use removable media, document compensating controls.
Compensating Controls
| Control | Description | In Place |
|---|---|---|
| No removable media issued to staff | Yes / No | |
| Acceptable use policy prohibits use | Yes / No | |
| Endpoint monitoring for USB activity | Yes / No | |
| Cloud-based file transfer enforced | Yes / No |
Evidence
Provide a reference to the acceptable use policy or employee handbook section that addresses removable media, and any endpoint logs showing no removable media activity.
Compliance Summary
| Control Area | Status | Evidence Provided |
|---|---|---|
| Removable media policy | Compliant / Partially Compliant / Non-Compliant | |
| Encryption or block in place | Compliant / Partially Compliant / Non-Compliant | |
| Evidence captured | Yes / No |
Overall Assessment
Provide an overall compliance status (Compliant / Partially Compliant / Non-Compliant) and a brief narrative summarizing the state of removable media controls.
Sign-Off
| Role | Name | Date | Signature |
|---|---|---|---|
| Primary Owner | |||
| Secondary Owner | |||
| Reviewer |