Back to Monitoring component
Capability MO.8

Removable Media Monitoring

"Removable media is monitored according to policy."

This capability evaluates whether the organization has the ownership, process, evidence, and oversight needed to manage removable media monitoring as part of a defensible insider risk monitoring program.

Scope & Context

What This Capability Means

Removable Media Monitoring assesses whether removable media use is monitored, governed, logged, and controlled according to policy.

Strategic Importance

Why This Capability Matters

USB drives and other portable media remain common pathways for data movement, policy violations, and insider misuse. Mature monitoring helps teams distinguish authorized use from risky transfer activity.

AI Monitoring Context

Removable media monitoring should account for movement of AI-related assets such as datasets, model files, embeddings, prompt logs, generated content, source code, and exports from AI development environments.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Removable media inventory is incomplete or outdated.

  • Authorized and unauthorized media cannot be distinguished.

  • Copy events, file hashes, and transfer volumes are not logged.

  • Unapproved media are not blocked or alerted.

  • Media audits are irregular or disconnected from risk management.

Signs of Mature Capability
  • Approved removable media are inventoried and tied to owners.

  • Copy events, file metadata, hashes, and transfer volumes are logged where appropriate.

  • Unapproved or unencrypted media use is blocked, alerted, or escalated.

  • Media controls are reconciled and audited periodically.

  • Findings are connected to DLP, endpoint monitoring, and insider risk triage.

Executive Oversight

Questions Leaders Should Ask

Security, legal, and operational executives can use these core questions to evaluate ownership, effectiveness, and evidence.

Which removable media devices are authorized?

Can the program identify large or unusual copy activity?

Are unapproved devices blocked or escalated?

How is encryption enforced for approved media?

Are media inventory and control exceptions audited?

Defensibility & Audit

Evidence Examples

These artifacts demonstrate that the monitoring capability is operational, documented, and aligned with standard practices.

Removable media policy

Approved media inventory

Device-control configuration

Copy event logs

Encryption enforcement records

Exception approvals

Quarterly audit records

Alignment Mappings

Mapped Standards & References

Reference StandardRelevance Statement
NIST 800-53, r5 (3.11, PE-5)Supports controls related to physical access and information system output or media handling.
ISO 27002, 12.4.1Supports event logging and monitoring expectations.

Use this mapping to ask:

  • Which removable media devices are authorized?

  • Can the program identify large or unusual copy activity?

  • Are unapproved devices blocked or escalated?

  • How is encryption enforced for approved media?

Note: Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

Related RiskTKO® Outcomes

Evidence CategoryOperational Example
Assessment evidenceRemovable media policy, Approved media inventory, Device-control configuration.
AI-related evidenceAI dataset transfer alerts, model file movement logs, embedding export monitoring, removable media exception records.
Risk evidenceRisk register item or exposure narrative tied to removable media monitoring.
Roadmap evidenceRecommended action to improve removable media monitoring, with owner, milestone, and completion status.
Executive evidenceExecutive summary showing current state, progress, remaining gaps, and risk reduction for removable media monitoring.

RiskTKO® protects proprietary logic (scoring metrics, weights, questionnaire logic, automated roadmap planning) while operationalizing these evidence logs inside the assessment dashboard.

Operationalize This Capability

Assess MO.8 in RiskTKO®

The public framework defines what good looks like. RiskTKO® helps teams assess where they stand, identify gaps, prioritize what to fix, build a roadmap, and generate executive-ready evidence.