Use of Portable Storage Devices Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to define mandatory requirements for the use, storage, transport, and disposal of portable storage devices when handling Fordham Protected Data and Fordham Sensitive Data.
Scope
This IT Security policy, and all policies referenced herein, shall apply to the following members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the “ User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Use portable storage devices only when there is a legitimate University business requirement and no secure University-managed storage (e.g., Fordham Additional Storage, Google Workspace, Microsoft OneDrive, S:/ Drive) option is available.
- You must follow the Data Classification Guidelines when storing, accessing, or transmitting Fordham Protected Data and Fordham Sensitive Data on portable storage devices.
- Encrypt all Fordham Protected Data and Fordham Sensitive Data using Information Security and Assurance–approved encryption per the Disk Encryption Policy.
- Protect encrypted portable storage devices with a password or PIN of at least six characters or digits.
- Do not disable encryption or security controls on University-issued portable storage devices.
- Enable remote wipe capability if supported by the device.
- Keep portable storage devices in your possession as outlined in Recommendations for Traveling.
- Do not leave portable storage devices unattended in vehicles, public spaces, or unsecured areas.
- Do not rely solely on portable storage devices for backup.
- Sanitize portable storage devices containing Fordham Protected Data and Fordham Sensitive Data before disposal, reassignment, or return, in compliance with the Device Sanitization Policy. Obtain a sanitization certificate where applicable.
Definitions
IT Resources include computing, networking, communications, applications, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Portable Storage Device is any removable media or device capable of storing data, including but not limited to USB flash drives, external hard drives, SD cards, optical media, and portable solid-state drives.
Related Policies and Procedures
- Data Classification Guidelines
- Device Sanitization Policy
- Disk Encryption Policy
- Fordham Additional Storage
- Google Workspace
- Microsoft OneDrive for Business Backup Procedure
- Recommendations for Traveling
- S:/ Drive Instructions
Implementation Information
| Review Frequency | Triennial |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CIO |
| Approval Date | February 25, 2026 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 02/25/2026 | Initial policy |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity, with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.