12.3 Removable media policy
12.3.1. The relevant entities shall establish, implement and apply a policy on the management of removable storage media and communicate it to their employees and third parties who handle removable storage media at the relevant entities’ premises or other locations where the removable media is connected to the relevant entities’ network and information systems.
12.3.2. The policy shall:
(a) provide for a technical prohibition of the connection of removable media unless there is an organisational reason for their use;
(b) provide for disabling self-execution from such media and scanning the media for malicious code before they are used on the entities’ systems;
(c) provide measures for controlling and protecting portable storage devices containing data while in transit and in storage;
(d) where appropriate, provide measures for the use of cryptographic techniques to protect information on removable storage media.
12.3.3. The relevant entities shall review and, where appropriate, update the policy at planned intervals and when significant incidents or significant changes to operations or risks occur.
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!