Removable Media Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
| Document Type | Policy |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |
Document #: SP-RMP-030 | Version: V1.2 | Issue Date: 05/09/2025
Document Creation¶
| Field | Details |
|---|---|
| Document # | SP-RMP-030 |
| Document Title | Removable Media Policy |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 05/09/2025 |
| Document Owner | Chief Information Security Officer |
| Author(s) | Simpaisa |
| Purpose | To ensure that Removable Media Policy is implemented |
| Authorised By | Yassir Pasha |
Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs — Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 05/09/2025 | Simpaisa | Annual review | Yassir Pasha |
Management of Removable Media¶
Purpose¶
The purpose of this policy is to minimise the risk of data loss or introduction of malware through the use of removable media within Simpaisa. Removable media presents a significant information security risk due to its portability and the ease with which data can be transferred to and from company systems.
Removable media includes, but is not limited to:
-
USB flash drives / memory sticks
-
External hard disk drives
-
Optical media (CD, DVD, Blu-ray)
-
Memory cards (SD cards, microSD, CompactFlash)
-
Magnetic tapes
-
Any other portable storage device capable of storing data
Scope¶
This policy applies to all employees, contractors and third-party personnel who use removable media in connection with Simpaisa systems, networks or data.
Policy Definitions¶
-
Use of removable media is restricted. The use of removable media on Simpaisa systems is restricted to business purposes only and requires prior authorisation from the line manager and the IT department. Personal use of removable media on company systems is prohibited.
-
Approved media only. Only removable media that has been issued or approved by the IT department may be connected to Simpaisa systems. Employees must not connect personal or unverified removable media to company systems under any circumstances.
-
Encryption is mandatory. All company data stored on removable media must be encrypted using an approved encryption solution. Unencrypted removable media containing company data must not leave the company premises.
-
Scanning for malware. All removable media must be scanned for malware by the company's approved anti-malware solution before any files are opened or transferred to company systems. If malware is detected, the media must be immediately isolated and reported to IT.
-
Data minimisation. The amount of data stored on removable media must be kept to the minimum necessary for the business purpose. Sensitive data, including cardholder data (CHD) and personally identifiable information (PII), must not be stored on removable media unless there is no viable alternative and the storage has been explicitly authorised by the CISO.
-
Secure storage and handling. Removable media must be stored securely when not in use. Media must not be left unattended in public places, vehicles, or anywhere that could result in loss or theft.
-
Reporting loss or theft. The loss or theft of any removable media containing company data must be reported immediately to the employee's line manager and the IT department. The CISO must be notified without delay. The organisation's incident response process will be initiated as appropriate.
-
Return and disposal. Company-issued removable media must be returned to the IT department when no longer required. Disposal of removable media must be carried out in accordance with the Procedure for Disposal of Media. Employees must not dispose of removable media themselves.
-
Audit and monitoring. The use of removable media on company systems may be monitored and audited. Connection of removable media to company systems may be logged. Employees are reminded that use of company systems is subject to monitoring in accordance with the Acceptable Use Policy.
-
Non-compliance. Failure to comply with this policy may result in disciplinary action up to and including termination of employment. Breaches that result in a data loss incident may also have legal consequences.