Removable media includes everything from CDs and DVDs to USB sticks and hard drives. This media is easily lost or stolen since it is small and easily transportable. Because of the high risk of loss or theft, the use of removable media increases the risk of data disclosure or loss.
A good removable media policy specifies how and when removable media maybe used, reducing the likelihood of data loss or disclosure. The removable media policy should have limits on use and specify that the devices must be encrypted. Encryption prevents data disclosure even if the device is lost or stolen.
Because of the risk created by the possible loss or disclosure of their data, they want to be sure that there are some efforts to reduce the use of removable media. A strong removable media policy should reduce the use of removable media to only when necessary, ensure that they are encrypted when used, and proper handling procedures are followed.
They expect that a removable media policy exists, specifying that removable media is to only be used when necessary, removable media is encrypted when used, and proper handling procedures are followed. And for certain types of media, such as CDs and DVDs, that they are labeled with the contents so that they are not mistaken for blank or ones with non-sensitive data or music. This same requirement may apply to other media, depending on the nature of the data and the environment.