13.7: Manage USB Devices
If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Data |
Protect |
2, 3 |
Dependencies
Sub-control 1.4: Maintain Detailed Asset Inventory
Sub-control 1.5: Maintain Asset Inventory Information
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 2.5: Integrate Software and Hardware Asset Inventories
Inputs
The list of endpoints
The list of authorized USB storage devices
Enterprise software which can configure systems to allow the use of specific devices
Operations
For each endpoint “i”, determine if the software specified by Input 3 is installed (M2(i))
For each endpoint “i”, collect the whitelist of USB devices allowed for use (M3(i))
For each endpoint’s whitelist, calculate the intersection with the authorized USB device inventory from Input 2. The “right-side” of the calculation indicates USB devices on the endpoint’s whitelist which are not contained in the authorized USB device inventory.
Measures
M1 = Count of endpoints
M2(i) = (For each endpoint “i”) 1 if Operation 1 indicates the appropriate software is installed on device “i”; 0 otherwise
M3 = (For each endpoint) The number of USB devices allowed
M4 = (For each endpoint) The number of USB devices contained in the whitelist which are not in the authorized USB device inventory
M5(i) = (For each endpoint “i”) 1 if M4 > 0 for device “i”; 0 otherwise
Metrics
Whitelisting Software Coverage
Metric |
The ratio of endpoints with whitelisting software installed to the total number
of endpoints.
|
Calculation |
|
Non-Inventoried but Whitelisted
Metric |
The ratio of endpoints with non-inventories but whitelisted USB device allowance
to the total number of endpoints.
|
Calculation |
|
Full Coverage
Metric |
The ratio of endpoints with inventoried USB storage device capability and USB
whitelisting software installed to the total number of endpoints.
|
Calculation |
|