When it comes to managing USB storage devices on your network, what solutions do some of you have in place? We need to manage this better for CMMC (compliance).
Sort by:
Managing USB storage should be one part of a broader information security strategy. On a Microsoft-driven stack starting points are BitLocker, Intune, Microsoft Purview Information Protection, Microsoft Purview Data Loss Prevention.
Here's how you can enforce encryption for Windows computers and removable storage with Intune:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#windows-encryption
It's also possible to do so via Windows Group Policy Objects:
https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=common
You can use device control of some endpoint protection solutions, like Kaspersky, but I use Sophos Intercept X because you don´t only can block USB ports, it also has a strong integrated DLP solution in the same product to prevent leaks by email, Google Drive, WhatsApp etc.
I agree with James Coe below - your wider information security must deal with enterprise risks systemic to your organisation.
Management of USB data sticks must align to your business objectives and Data Loss Prevention information security policy.
Some users may need USB data sticks - but generally these need to be managed carefully in alignment with the information security polices but exception only, with request made on the ITSM for auditing and recorded in the risk register.
Generally USB data-sticks must not be allowed but USB power delivery is - with enterprise endpoint tools like MS-intune.
Mitigations and countermeasures need to be put in place to allow data-sharing between employees and pre-screened partners.
Identity and Access Management (SSO, MFA etc) with a cloud secure share (google workspace or MIcrosoft Team/sharepoint) is your an enterprise alternative and with manageable data collaboration tools.