Hitachi

JP1 Version 12 JP1/IT Desktop Management 2 Administration Guide

1.7.8 Restricting the use of USB devices

Various types of data such as customer data, sales data, and development data exist on computers in your organization. If any of these types of confidential information leaks out, there is huge damage and your organization's social reputation is also ruined. For that reason, you need to take security measures to protect confidential information by preventing data from being brought out or lost.

You can use JP1/IT Desktop Management 2 to deter the use of devices. By using this function, you can prevent information leakage caused by data brought out.

This subsection explains how to restrict the use of USB devices. To restrict the use of USB devices, the following two methods are available:

[Figure]

Tip

When you permit only registered USB devices to be used, you can also apply the following conditions to limit assets that can use the USB devices.

  • The registered USB device is permitted to be used only with assets that are registered with the same department as the USB device.

  • The registered USB device is permitted to be used only with assets that are registered with the same location as the USB device.

  • The registered USB device is permitted to be used only with hardware assets that are registered and associated with the USB device.

To lend a USB device so as to prohibit the use of privately-owned USB devices:

1. Register authorized USB devices.

Prepare USB devices to be lent, and then register them in JP1/IT Desktop Management 2 as authorized USB devices.

2. Deter the use of any USB devices other than the authorized USB devices.

Using JP1/IT Desktop Management 2, deter the operation to read from and write to USB devices. At the same time, permit the use of only the USB devices registered in step 1.

3. Lend an authorized USB device.

Have a user who wants to use a USB device submit an application to you, check the content of the application, and then lend a USB device to that user.

Using JP1/IT Desktop Management 2, change the asset status of the USB device when it is lent and when it is returned.

4. Check the usage log of the lent USB device.

Check whether the lent USB device has been used as the submitted application.

Then, the usage status of the USB devices can be properly managed and data cannot be brought out unnecessarily.

Related Topics:

Organization of this subsection

(1) Registering authorized USB devices

To prevent information leakage caused by data brought out, permit the use of specific USB devices and prohibit the use of any USB devices other than the specific USB devices. For example, you can deter the use of privately-owned USB devices by permitting the use of only the USB devices owned by your organization.

To permit the use of specific USB devices only, you need to register authorized USB devices first.

1. Register USB devices.

Prepare USB devices to be lent, and then register them as authorized USB devices. When registering the USB devices, set registrant information to make clear who registers these USB devices.

When you have registered the USB devices, hardware asset information about the USB devices is registered in the Hardware Asset view of the Assets module.

Tip

If you want the user to register a USB device, set the authentication information for USB device registration in the agent configuration, and then assign the agent configuration to the user's computer in advance. Then, inform the user about the authentication information and registration method if necessary, and ask the user to register a USB device.

2. Edit the hardware asset information.

Unconfirmed is displayed under Asset Status for the hardware asset information of the registered USB devices. Also, only the information that is collected from the USB devices and the user information that has been set at the time of registration are registered. Therefore, manually register information that is not automatically collected such as Asset # and Asset Status (In Stock). Set Asset Status to any value other than Unconfirmed and Disposed to register the USB devices as authorized USB devices.

Then, the authorized USB devices are registered.

Related Topics:

To Page Top

(2) Deterring the use of any USB device other than the authorized USB devices

To prevent information leakage caused by data brought out, permit the use of specific USB devices and prohibit the use of any USB devices other than the specific USB devices. For example, you can deter the use of privately-owned USB devices by permitting the use of only the USB devices owned by your organization.

After registering authorized USB devices, you need to deter the use of any USB devices other than the authorized USB devices.

Set a prohibited operation policy.

To deter the use of any USB devices other than the authorized USB devices, set a prohibited operation policy. At the same time, permit the use of the authorized USB devices only.

Then, the use of any USB devices other than the authorized USB devices is deterred.

Related Topics:

To Page Top

(3) Lending a USB device to a user

When you permit the use of only the USB devices owned by your organization (USB devices already registered in JP1/IT Desktop Management 2), you need to lend such a USB device to a user who intends to use a USB device. In such a case, have the above user submit an application for USB device use, and when the intended use is appropriate, lend a USB device to the user.

1. Have the user submit an application for USB device use.

Obtain the following information to manage the USB device lending operation:

  • Date of usage

  • Date of return

  • Intended use

  • Department

  • User name

  • Email address

  • Phone number

  • Asset management number of the computer to use the USB device

  • Name of the file containing the data to be written to the USB device

2. Lend a USB device to the user.

When the intended use is appropriate, lend a USB device to the user.

To manage the borrower of the USB device, edit the asset information of that USB device and change the user information of that USB device to the borrowing user's information. If you do not want to change the user information of the USB device, add a management item for borrower management or save a history in the Notes tab such as the date of lending and the borrower.

After lending the USB device, to make it clear that the USB device is being lent, change the value for Asset Status by adding a new status (such as On Loan) to Asset Status in the hardware asset status information.

Also, to keep track of the return schedule, set the values for Planned Asset Status and Planned Date. If the USB device is scheduled to be returned one week later, set In Stock for Planned Asset Status and set the date one week later for Planned Date.

Tip

By setting a value for Planned Asset Status, you can check the USB device scheduled to be returned in Planned Hardware Asset Status on the Summary Reports.

When the user finishes using the USB device, ask the user to return the USB device.

When the USB device is returned, change the value for Asset Status of the hardware asset information from On Loan to In Stock to make the USB device ready to be lent again.

Related Topics:

To Page Top

(4) Checking the usage history of a USB device

You can check the usage history of a USB device from an operation log.

Tip

To obtain operation logs, you need to specify the operation log settings during setup. In addition, you need to enable the operation log policy.

1. Display the operation log of the user.

You can check operation logs in the Operation Logs view of the Security module. To check the history of a USB device, examine operation logs whose Operation Type is Device operation by using the filtering function. To check the usage history of a specific USB device, perform filtering on operation logs by Source or User Name.

2. Examine detailed information in the operation log.

To check whether a USB device was used properly, examine detailed information in the operation log. Examine the following information:

  • Information about the computer on which the USB device was operated

  • Information about the user who operated the USB device

  • Information about the files copied to the USB device

You can check whether the USB device was used properly. If you find any problem with the usage status, check with the user about the usage status, and then take necessary measures.

Related Topics:

To Page Top

(5) Permitting users to bring out data through only a specific computer

You can restrict the use of USB devices to prevent information leakage caused by data brought out unnecessarily.

As a way of restricting the use of USB devices, you can permit users to bring out data through only a specific computer. For example, you can operate JP1/IT Desktop Management 2 in such a way as to permit only a shared computer to use USB devices and prohibit the users' computers from using USB devices.

This subsection explains how to permit only a specific computer to use USB devices.

1. Assign a policy to deter the use of USB devices to every computer.

Apply a security policy to deter the use of USB devices to every computer.

Using the prohibited operation policy, create a security policy in which the deterrence of USB devices is enabled, and then assign that security policy to every computer.

2. Assign a dedicated policy to a computer that is authorized to use USB devices.

Apply a dedicated policy to a computer that is authorized to use USB devices.

Using the prohibited operation policy, create a security policy in which the deterrence of USB devices is disabled, and then assign that security policy to a computer that is authorized to use USB devices.

Then, only a specific computer can use USB devices.

Related Topics:

To Page Top

(6) Permitting users to bring out data for limited cases (depending on the department, installation location, or device)

You can restrict the use of USB devices to prevent information leakage caused by data brought out.

One way to restrict the use of USB devices is to permit users to bring out data depending on the department, installation location, or associated asset (device). For example, you can permit computers only in the sales department to use USB devices while prohibiting computers in any other departments from using USB devices.

This subsection describes how to permit USB devices to be used for limited cases (depending on the department, installation location, or device).

1. Set a security policy.

Edit a security policy in the Security Policy List view of the Security module.

In Other Access Restrictions, which is a security configuration item, enable USB devices, and select Allow registered USB device usage. You can also select Limit the assets that can be used to limit assets that can use the USB device by using the following conditions:

  • Allow only the resources of the department that owns the USB device to be used

    The registered USB device is permitted to be used only with assets that are registered with the same department as the USB device.

  • Allow only the resources in the same location as the USB device to be used

    The registered USB device is permitted to be used only with assets that are registered with the same installation location as the USB device.

  • Allow only the resources associated with the USB device to be used

    The registered USB device is permitted to be used only with hardware assets that are registered and associated with the USB device.

2. Register USB devices.

Register USB devices as authorized USB devices. For details about how to register USB devices, see 9.7 Registering USB devices.

When a USB device is registered, the department and installation location can also be added to the information of the user who registers the device.

3. Edit the hardware asset information.

Edit the hardware asset information of the registered USB devices in the Hardware Asset view of the Assets module. In the hardware asset information of the registered USB devices, Asset Status is set to Unconfirmed. Set Asset Status to any value other than Unconfirmed or Disposed to register the USB devices as authorized USB devices.

In the Edit Hardware Asset dialog box, you can set the information of the department, installation location, and associated hardware asset. The department, installation location, and other information you set here are used to limit authorized USB devices.

USB devices will be permitted to be used only with assets that are set in the security policy.

Related Topics:

To Page Top

(7) Handling the loss of a USB device

When a USB device used in your organization becomes lost, it can lead to leakage of confidential information that is stored in the USB device, including customer data, sales data, and development data. An immediate action must therefore be taken when a USB device becomes lost.

If Collect is selected in Collect List of USB Device Files under Common settings for prohibited operations and operation logs, you can see the information of the files stored in the USB devices.

Check whether any file containing confidential information is stored in the lost USB device.

Check the files stored in the USB device.

Using the File List tab displayed in the Hardware Asset view of the Assets module, you can check information about the files stored in the USB device. Note that the File List tab appears only when the target USB device is registered and the value for Device Type is USB Device. Identify the stored files by File Path and Last Modified Date Time, and then investigate the detailed information of the files.

Tip

Information displayed in the File List tab is the information of the files stored in the USB device when that USB device was last connected to a computer in your organization. If there is any file stored in that USB device from an external computer, check with the user who lost the USB device about the content of that file.

Important

The file information might be incorrectly displayed when the USB device meets any of the following conditions:

  • File system is encrypted.

  • File system is password protected.

  • There is a floppy disk drive or optical disk drive.

In addition, to keep a record of the loss of the USB device, register information about the loss in the USB device's hardware asset information.

Register information about the loss.

To prohibit the use of the lost USB device, in the Hardware Asset view of the Assets module, change the value for Asset Status of the lost USB device to Disposed. Then, that USB device is treated as unregistered, and data cannot be read from and written to that USB device through any computer to which the prohibited operation security policy is applied.

Also, in the Notes tab, save information such as the date of loss, lost by, and how the device was lost.

Tip

Any problems that can potentially lead to information leakage must be disclosed to all employees, and make sure that all employees are fully aware of good security practices.

Related Topics:

To Page Top

Copyright (C) 2019, 2022, Hitachi, Ltd.

Copyright (C) 2019, 2022, Hitachi Solutions, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.