Removable media includes, but is not limited to:

• USB flash drives
• External hard drives
• SD cards
• CDs/DVDs
• Any other portable storage devices capable of storing digital data

To safeguard against data loss, data leakage, malware infections, and unauthorised access, the use of removable media is blocked by default across all organisational systems.

Access to removable media may be granted only where there is a legitimate business need, and must follow a formal request process:

• Requests must be submitted via the IT Helpdesk.
• Each request must include a clear business justification and director-level approval.

Once approved, the use of removable media must remain strictly aligned with the original business justification. Any new or changed requirements must be submitted as a separate request and go through the same approval process.

Where technically feasible, devices should be encrypted to ensure the confidentiality and integrity of the data.

Suspected misuse, loss, or security incidents involving removable media should immediately be reported, in line with the organisation’s incident response procedures.

The IT Department retains sole authority to determine which removable media devices will be used, based on the original business justification to ensure compatibility and security of removable media.

Annual audits will be completed on whitelisted devices and devices that are no longer required will be removed from the whitelist to maintain security and minimise risk.