Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management Administration Guide

1.7.7 Restricting the use of USB devices

Various types of data such as customer data, sales data, and development data exist on computers in your organization. If any of these types of confidential information leaks out, there is huge damage and your organization's social reputation is also ruined. For that reason, you need to take security measures to protect confidential information by preventing data from being brought out or lost.

Using JP1/IT Desktop Management, you can deter the operation to read from and write to external media. By using this function, you can prevent information leakage caused by data brought out.

This subsection explains how to restrict the use of USB devices. To restrict the use of USB devices, the following two methods are available:

[Figure]

To lend a USB device so as to prohibit the use of privately-owned USB devices:

1. Register authorized USB devices.

Prepare USB devices to be lent, and then register them in JP1/IT Desktop Management as authorized USB devices.

2. Deter the use of any USB devices other than the authorized USB devices.

Using JP1/IT Desktop Management, deter the operation to read from and write to USB devices. At the same time, permit the use of only the USB devices registered in step 1.

3. Lend an authorized USB device.

Have a user who wants to use a USB device submit an application to you, check the content of the application, and then lend a USB device to that user.

Using JP1/IT Desktop Management, change the asset status of the USB device when it is lent and when it is returned.

4. Check the usage log of the lent USB device.

Check whether the lent USB device has been used as the submitted application.

Then, the usage status of the USB devices can be properly managed and data cannot be brought out unnecessarily.

Related Topics:

Organization of this subsection

(1) Registering authorized USB devices

To prevent information leakage caused by data brought out, permit the use of specific USB devices and prohibit the use of any USB devices other than the specific USB devices. For example, you can deter the use of privately-owned USB devices by permitting the use of only the USB devices owned by your organization.

To permit the use of specific USB devices only, you need to register authorized USB devices first.

1. Register USB devices.

Prepare USB devices to be lent, and then register them as authorized USB devices. When registering the USB devices, set registrant information to make clear who registers these USB devices.

When you have registered the USB devices, hardware asset information about the USB devices is registered in the Hardware Asset view of the Assets module.

Tip

If you want the user to register a USB device, set the authentication information for USB device registration in the agent configuration, and then assign the agent configuration to the user's computer in advance. Then, inform the user about the authentication information and registration method if necessary, and ask the user to register a USB device.

2. Edit the hardware asset information.

Unconfirmed is displayed under Asset Status for the hardware asset information of the registered USB devices. Also, only the information that is collected from the USB devices and the user information that has been set at the time of registration are registered. Therefore, manually register information that is not automatically collected such as Asset # and Asset Status (In Stock). Set Asset Status to any value other than Unconfirmed and Disposed to register the USB devices as authorized USB devices.

Then, the authorized USB devices are registered.

Related Topics:

To Page Top

(2) Deterring the use of any USB device other than the authorized USB devices

To prevent information leakage caused by data brought out, permit the use of specific USB devices and prohibit the use of any USB devices other than the specific USB devices. For example, you can deter the use of privately-owned USB devices by permitting the use of only the USB devices owned by your organization.

After registering authorized USB devices, you need to deter the use of any USB devices other than the authorized USB devices.

Set a prohibited operation policy.

To deter the use of any USB devices other than the authorized USB devices, set a prohibited operation policy. At the same time, permit the use of the authorized USB devices only.

Then, the use of any USB devices other than the authorized USB devices is deterred.

Related Topics:

To Page Top

(3) Lending a USB device to a user

When you permit the use of only the USB devices owned by your organization (USB devices already registered in JP1/IT Desktop Management), you need to lend such a USB device to a user who intends to use a USB device. In such a case, have the above user submit an application for USB device use, and when the intended use is appropriate, lend a USB device to the user.

1. Have the user submit an application for USB device use.

Obtain the following information to manage the USB device lending operation:

  • Date of usage

  • Date of return

  • Intended use

  • Department

  • User name

  • Email address

  • Phone number

  • Asset management number of the computer to use the USB device

  • Name of the file containing the data to be written to the USB device

2. Lend a USB device to the user.

When the intended use is appropriate, lend a USB device to the user.

To manage the borrower of the USB device, edit the asset information of that USB device and change the user information of that USB device to the borrowing user's information. If you do not want to change the user information of the USB device, add a management item for borrower management or save a history in the Notes tab such as the date of lending and the borrower.

After lending the USB device, to make it clear that the USB device is being lent, change the value for Asset Status by adding a new status (such as On Loan) to Asset Status in the hardware asset status information.

Also, to keep track of the return schedule, set the values for Planned Asset Status and Planned Date. If the USB device is scheduled to be returned one week later, set In Stock for Planned Asset Status and set the date one week later for Planned Date.

Tip

By setting a value for Planned Asset Status, you can check the USB device scheduled to be returned in Hardware Asset Status (Planned) on the Summary Reports.

When the user finishes using the USB device, ask the user to return the USB device.

When the USB device is returned, change the value for Asset Status of the hardware asset information from On Loan to In Stock to make the USB device ready to be lent again.

Related Topics:

To Page Top

(4) Checking the usage history of a USB device

You can check the usage history of a USB device from an operation log.

Tip

To obtain operation logs, you need to specify the operation log settings during setup, or build a site server configuration system. In addition, you need to enable the operation log policy.

1. Display the operation log of the user.

You can check an operation log in the Operations Logs view of the Security module (the Operation Log List (Distributed Operation Logs) view if operation logs are stored in the site server). To check the history of a USB device, examine operation logs whose Operation Type is External Device Operation by using the filtering function. To check the usage history of a specific USB device, perform filtering on operation logs by Source or User Name.

2. Examine detailed information in the operation log.

To check whether a USB device was used properly, examine detailed information in the operation log. Examine the following information:

  • Information about the computer that operated the external medium

  • Information about the user who operated the external medium

  • Information about the files copied to the external medium

You can check whether the USB device was used properly. If you find any problem with the usage status, check with the user about the usage status, and then take necessary measures.

Related Topics:

To Page Top

(5) Permitting users to bring out data through only a specific computer

You can restrict the use of USB devices to prevent information leakage caused by data brought out unnecessarily.

As a way of restricting the use of USB devices, you can permit users to bring out data through only a specific computer. For example, you can operate JP1/IT Desktop Management in such a way as to permit only a shared computer to use USB devices and prohibit the users' computers from using USB devices.

This subsection explains how to permit only a specific computer to use USB devices.

1. Assign a policy to deter the use of USB devices to every computer.

Apply a security policy to deter the use of USB devices to every computer.

Using the prohibited operation policy, create a security policy in which the deterrence of USB devices is enabled, and then assign that security policy to every computer.

2. Assign a dedicated policy to a computer that is authorized to use USB devices.

Apply a dedicated policy to a computer that is authorized to use USB devices.

Using the prohibited operation policy, create a security policy in which the deterrence of USB devices is disabled, and then assign that security policy to a computer that is authorized to use USB devices.

Then, only a specific computer can use USB devices.

Related Topics:

To Page Top

(6) Handling the loss of a USB device

When a USB device used in your organization becomes lost, it can lead to leakage of confidential information that is stored in the USB device, including customer data, sales data, and development data. An immediate action must therefore be taken when a USB device becomes lost.

If you specify the following settings by using the prohibited operation policy, you can check information about the files stored in the lost USB device:

Check whether any file containing confidential information is stored in the lost USB device.

Check the files stored in the USB device.

Using the File List tab displayed in the Hardware Asset view of the Assets module, you can check information about the files stored in the USB device. Note that the File List tab appears only when the target USB device is registered and the value for Device Type is USB Device. Identify the stored files by File Path and Last Modified Date Time, and then investigate the detailed information of the files.

Tip

Information displayed in the File List tab is the information of the files stored in the USB device when that USB device was last connected to a computer in your organization. If there is any file stored in that USB device from an external computer, check with the user who lost the USB device about the content of that file.

In addition, to keep a record of the loss of the USB device, register information about the loss in the USB device's hardware asset information.

Register information about the loss.

To prohibit the use of the lost USB device, in the Hardware Asset view of the Assets module, change the value for Asset Status of the lost USB device to Disposed. Then, that USB device is treated as unregistered, and data cannot be read from and written to that USB device through any computer to which the prohibited operation security policy is applied.

Also, in the Notes tab, save information such as the date of loss, lost by, and how the device was lost.

Tip

Any problems that can potentially lead to information leakage must be disclosed to all employees, and make sure that all employees are fully aware of good security practices.

Related Topics:

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2013, 2014, Hitachi, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.