Removable media has been a standard part of information technology systems for many years. This has not been removed by the ever expanding networks connecting systems to enable information to be shared.
The various devices that are currently used based on USB or portable storage devices are still accompanied in service by the venerable CD or DVD format.
The relative price of all of these solutions, especially the CD or DVD, and the size and weight of these devices have led people to be less careful with them than would be the case with a laptop, a server or a large storage array. People do not appear to report a security incident relating to the loss of such a device or disc.
So to reduce the impact of a lost device or disc the data can be encrypted. The basics on the use of a strong password are a given and often lamented by myself and others. The difficulty arises with the intended use of the device or disc. For example, where will the device/disc be used? Many organisation will want to share information with other organisations or end points that are outside of their control or sphere of influence. If this is the case then it may not be possible to ensure that the same encryption software is available at the recipient end. This can be resolved by utilising a product that moves with the platform and is always available with data that is encrypted.
There are a number of products that will work with portable media devices to achieve this, some devices come with this capacity within them. Many of these are certified to a standard such as FIPS 140-2. In the UK this is similar to the CCT mark http://www.cctmark.gov.uk/ (though this mark has a smaller product group that has achieved approval).
Unfortunately the options for CD or DVDs is not so good. This media is still used in many industries, especially when the business need to send large amounts of adhoc data between organisations is required.
Information Security Policies should include a section on or reference to the organisation standards for the correct use of transferring information to all removable media. This should be in parallel with technical measures where required to enforce these policies and standards to provide additional mitigations against the risk of users transferring unencrypted data to removable media.
So do not overlook the easiest route for your organisation to operate, like water users will find their way through the cracks in your policies and controls and you are likely to be the last to know that the data has gone.