Removable Storage Media

Removable storage media, such as USB external hard drives, flash drives or SD cards, can be a convenient way of transferring data. They can also be a source of risk, and care needs to be taken when handling them.

If you are using University owned or provided media which you control to store or transfer University data then it should always be encrypted, but ideally data should be stored on University online storage options and transferred via University services. 

If you are accepting data from a trusted external collaborator on removable storage media then the following advice may be helpful:

• The storage media should only have the data that is being transferred on it, and should not be used for general storage. It may be best to provide your own empty storage media to your collaborator that the data alone can be copied on to.
• The storage media should be fully scanned with an antivirus product before any data is transferred from it. It may be useful to first scan with a computer that that has been disconnected from the network and Wi-Fi temporarily; make sure that the antivirus product is updated before disconnecting.
• For Windows devices it may be prudent to disable "Autoplay" - search your settings for how to do this. However, recent Windows versions cannot run applications automatically from USB devices.
• Only data should be transferred; executable programs should not be run or installed from storage media that is not fully under your control at all times.
• Storage media that has unclear provenance - for example, a USB stick found in a public area - should not be used at all.

It should always be borne in mind that transferring or sharing larger amounts of data via online mechanisms is increasingly possible due to increases in network speeds and increases in storage. Transferring data this way may be preferred as it reduces the need for storage media to be moved and does not require devices to be attached to your computer, both of which reduce risk. However, there may still be risks associated with the files themselves and care still needs to be taken.