How to request temporary USB access
Category:
Security & Endpoint | Last reviewed: May 2026
|
Who
this is for
|
All ONYX Insight staff and contractors on managed laptops
who need to read from or write to a USB storage device.
|
|
Approver
|
IT Security Administration (in-house IT Support, overseen
by the IT Manager and Cyber Security).
|
|
Typical
lead time
|
1 business day for a routine request. Same-day where the
business need is urgent and approval is obtained.
|
|
How
long access lasts
|
Temporary - granted only for the duration stated in your
request. Reviewed and revoked when no longer needed.
|
|
Related
policies
|
IT Controls Policy (ONYX-IMS-L1-108, control A.7.10
Storage Media) and IT Acceptable Use Policy (ONYX-IMS-L1-115).
|
Overview
ONYX laptops block USB storage
devices by default. The block is enforced by Sophos Central Endpoint Detection
and Response, which is our endpoint security platform. The control exists to
prevent malware from being introduced via removable media and to stop
confidential or personal data from leaving managed devices uncontrolled.
If you have a genuine business
need to use a USB storage device - for example, to load configuration onto an
air-gapped device at a customer site, or to use a vendor-supplied hardware tool
- IT can grant you a temporary exemption. Access is granted per user, applies
across the laptops you sign into, and is revoked when the work is finished.
When you need to request an exemption
Raise a request when any of the
following applies:
•
You need to read from or write to a USB flash drive,
external hard drive, or SD card on your ONYX laptop.
•
You need to connect a vendor hardware tool that
presents itself as a USB storage device (some diagnostic kits and field-service
tools do this).
•
A customer site requires you to transfer data via USB
because their environment is air-gapped or offline.
You do not need an exemption for
input devices such as USB keyboards, mice, headsets, webcams, or charging
cables - these are not blocked.
Before you raise the ticket - try the alternatives
Sophos exemptions are
intentionally temporary and reviewed at least annually. Where it is practical,
please use an approved alternative first:
•
OneDrive, SharePoint, or Teams for file sharing inside
ONYX.
•
A secure file-transfer link (e.g. Mimecast Large File
Send) for sending files to customers.
•
VPN access to internal resources rather than carrying
data on a stick.
If none of these work for your
situation, continue with the request below.
How to request access
1.
Open a new IT request via the service portal and select
the Security category.
2.
Use the subject "Sophos - Temporary USB
Access" so the request is routed to the right queue.
3.
Provide the information in the checklist below in the
ticket description.
4.
If the transfer involves Confidential or PII data, get
written approval from the data owner (and the DPO for PII) and attach it to the
ticket.
5.
Submit the ticket and watch for confirmation. IT will
reply when the policy change has been applied and the access is live.
What to include in your request
|
Field
|
What to provide
|
|
Your details
|
Full name, department, office or remote location, and your
laptop's asset ID or computer name.
|
|
Operating system
|
Windows, macOS, or Ubuntu - so IT applies the correct
Sophos policy.
|
|
Business justification
|
Why USB is required and why a cloud or network transfer is
not an option (customer site, air-gapped device, hardware tool, etc.).
|
|
USB device details
|
Type of device (storage stick, dongle, hardware tool), and
where possible the vendor, model, and serial number.
|
|
Data classification
|
What data you intend to transfer. Confidential data needs
the data owner's approval; PII additionally requires the DPO's approval.
|
|
Duration
|
How long access is needed (e.g. 2 hours, this week, the
duration of the site visit).
|
Approval and lead time
Routine requests with a clear
business justification are typically actioned within one business day. Requests
are reviewed by the in-house IT Support team under IT Security Administration,
with oversight from the IT Manager and Cyber Security.
Approval may take longer if:
•
The request involves Confidential information or PII,
and the data owner or DPO approval is still outstanding.
•
The justification is unclear and IT needs to come back
to you for more detail.
•
The request falls outside standard working hours -
out-of-hours support is by escalation only.
If your need is genuinely
urgent, flag this in the ticket and call the IT emergency phone channel so it
can be prioritised.
Acceptable use while your exemption is active
While the exemption is in place,
the rules in our Acceptable Use Policy and the Storage Media control (A.7.10)
of the IT Controls Policy still apply. In particular:
•
Use the USB device only for the work described in your
ticket.
•
Encrypt any Confidential or Sensitive data placed on
the device. Encryption is mandatory for these classifications.
•
Delete the data from the USB device immediately after
the transfer is complete.
•
Do not share the device, the data, or the access with
anyone else.
•
Keep the device with you, treat it as you would a
company laptop, and report any loss or theft to IT and
security@onyxinsight.com
immediately.
•
Do not attempt to bypass or disable Sophos, or any
other endpoint security control, at any time.
What happens when your access ends
Tell IT when your work is
finished by replying on the original ticket. IT will move you from
"Assigned Users" back to "Available Users" in the Sophos
policy. After you next sign in, your laptop will block USB storage devices
again.
If you do not close the ticket
yourself, IT will follow up at the end of the duration you requested and revoke
access. The authorised user list is reviewed at least annually as part of our
ISO 27001 controls.
FAQ
Why was my USB stick blocked without warning?
USB storage is blocked across
all managed ONYX devices by default. You will usually see a Sophos notification
on your laptop when a device is blocked. Raise an exemption ticket if you need
access.
Can IT allow only my specific USB device rather than all USB storage?
Sophos supports per-device
exemptions using a USB device's Vendor ID, Product ID, or serial number. This
is more secure than a per-user exemption and we are working towards using it as
the default. If you can provide those details in your ticket, please do.
My exemption expired and I need it again - do I have to fill in everything?
Yes - reference the previous
ticket number to speed things up, but the request still needs an up-to-date
justification, duration, and data-classification statement so the approval is
auditable.
Who do I talk to if my request is refused?
Reply on the ticket asking for
the reason, and copy in your line manager. If you believe the decision needs
review, escalate via the IT Manager. Policy queries can be sent to the Head of
Cyber Security at
toby.rogers@onyxinsight.com.
Related articles and policies
•
IT Acceptable Use Policy (ONYX-IMS-L1-115) - Employee
HUB SharePoint.
•
IT Controls Policy (ONYX-IMS-L1-108), control A.7.10
Storage Media.
•
In-house IT Support Procedures (ONYX-IMS-L1-118).
•
How to report a lost or stolen device.
•
How to request a software licence (related self-service
article).