Restrictions on Mobile Device Removable Media
SECRET and TOP SECRET devices need ASD approval to use removable media.
Plain language
When dealing with highly sensitive information, like that on SECRET or TOP SECRET devices, it's crucial to control what data these devices can store or share. Removable media, like USB sticks, can make it easy to copy data and lose track of it, so getting approval from the Australian Signals Directorate (ASD) first helps ensure that only trusted drives are used, protecting the information from falling into the wrong hands.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SECRET and TOP SECRET mobile devices do not use removable media unless approved beforehand by ASD.
Why it matters
Without ASD-approved removable media, SECRET/TOP SECRET data could be copied to unapproved media, enabling unauthorised disclosure and a serious security breach.
Operational notes
Before any removable media is used on SECRET or TOP SECRET mobile devices, confirm ASD approval is documented and periodically re-validate approvals remain current.
Implementation tips
- The IT team should identify all mobile devices that handle SECRET and TOP SECRET information and create a list of these devices. This involves checking the inventory records and ensuring each device's security level is correctly classified.
- The system administrator must block the use of removable media on SECRET and TOP SECRET devices by default. This can be done by configuring device settings to disable USB ports or using software tools that control which devices can connect.
- Managers should establish a procedure for requesting approval from the ASD for using removable media on these sensitive devices. This involves creating a template that outlines what information needs to be provided for the ASD's review and who in the organisation will handle these requests.
- The IT security officer should educate staff about the risks associated with using removable media on SECRET and TOP SECRET devices. They can hold training sessions that explain why these restrictions are important and the proper procedures for seeking ASD approval.
- The compliance officer should conduct regular reviews to ensure that the policy on removable media use is being followed. This involves checking logs and records to verify that no unauthorised devices have been connected to SECRET or TOP SECRET devices.
Audit / evidence tips
- AskThe inventory list of SECRET and TOP SECRET devices GoodWill show a regularly updated list with accurate classifications and device details
- GoodIncludes policy settings or software output showing removable media blocking on sensitive devices
- AskThe approval process documentation for using removable media on sensitive devices GoodIncludes a clear process description and records of communication with the ASD
- GoodIncludes dated records showing participation and understanding of the policy and its importance
- AskThe logs or reports from compliance reviews regarding the policy GoodProvides detailed review outcomes and any actions taken to address non-compliance
Cross-framework mappings
How ISM-1868 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1868 requires that SECRET and TOP SECRET mobile devices do not use removable media unless ASD approval is obtained beforehand | |
| handshake Supports (1) expand_less | ||
| Annex A 8.12 | ISM-1868 requires a strong preventative control: SECRET and TOP SECRET mobile devices must not use removable media unless ASD approval is... | |
| extension Depends on (2) expand_less | ||
| Annex A 5.1 | ISM-1868 mandates an operational restriction on SECRET and TOP SECRET mobile devices, requiring ASD pre-approval before any removable med... | |
| Annex A 5.10 | ISM-1868 requires that removable media is not used on SECRET and TOP SECRET mobile devices unless ASD approval is obtained beforehand | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.