2019.02 Encrypted USB Flash Drive Assignment

Policy Number 2019.02
Effective Date September 17, 2019
Revision Date  
Subject Matter Expert Section Security Officer
Approval Authority TB/HIV/STD Section Director
Signed by Felipe Rocha, M.S.S.W.

1.0 Purpose

To establish a centralized procedure for requesting, assigning, and tracking encrypted USB flash drives to staff. 

2.0 Policy

It is the policy of the TB/HIV/STD Section (Section) at the Texas Department of State Health Services (DSHS) that all encrypted USB flash drives approved for staff use by HHSC IT will be requested, assigned, and tracked using a consistent procedure to ensure that the drives are not lost or stolen. This procedure applies to any encrypted USB flash drive used by Section staff, which includes Iron Key, Kangaru and other flash drives. Only agency-issued/approved encrypted USB flash drives can be used on agency-owned equipment per Section Procedure 2016.01 TB/HIV/STD Section Confidential Information Security Procedures.

3.0 Definitions

Encryption – The process of converting information or data into a code for the purpose of preventing unauthorized access.

Flash drive – A data storage device that includes flash memory with an integrated USB interface. 

USB – Universal Serial Bus

4.0 Persons Affected

All DSHS TB/HIV/STD Section staff

5.0 Responsibilities

Staff Services Officer (SSO): Section and Branch Staff Service Officers (SSOs) manage inventory of encrypted USB flash drives for the Section. They maintain a tracking document for keeping track of who has an encrypted USB drive. They assure that each flash drive assigned to staff is recorded as assigned to the specific staff and if there is a serial number that this number is recorded as well. Ensures that password is reset to a uniform password when drives are returned by terminating/transferring staff and configures drives to wipe – not self-destruct – upon repeated entry of incorrect password. Assists staff in setting up new passwords and configuring drives upon assignment. Stores encrypted USB flash drives that are not in use by staff in locked storage.

Manager: Approves requests for encrypted USB flash drive check out. Also responsible for returning encrypted USB flash drives to SSO when employee separates from current position.

TB/HIV/STD Section Security Officer: Performs routine inventory audits to verify staff continue to maintain possession of encrypted USB flash drives (annually and as security events warrant). Reviews contingencies related to the use of encrypted USB flash drives not covered in policy.

Section Staff: Requests encrypted flash drive by sending an email request to manager. Maintains assigned encrypted USB flash drives in good working order. Immediately reports loss or theft of assigned drives to manager, SSO, and security officer. Returns assigned drives to manager and meets with SSO to reset password upon separation from position. 

6.0 Procedures

6.1 Section Staff member will request an encrypted USB flash drive through their manager via email. The request should include the employee identification number, job title, business justification for drive, and whether the drive will be needed for a defined short-term period of time or indefinitely.

6.2 Upon approval, manager will forward email to designated SSO.

6.3 SSO will distribute encrypted USB flash drive to employee and update tracking log with employee name, serial number of device, and date checked out. The tracking log will be maintained in an electronic location accessible by SSOs and managers only:

6.4 Section Security Officer will perform inventory control checks and verify staff members have possession of the encrypted USB flash drive assigned to them. A routine inventory check of all assigned drives will be performed once a year. More frequent spot checks of assigned drives will be performed as security needs warrant.

6.5 The Section Security Officer will complete a report to document the inventory control check. At a minimum, the report should include the security officer’s name, date of check, name of staff member with encrypted USB flash drive, confirmation of the correct (originally assigned) serial number on the device, and any notes or concerns.

6.6 The Security Officer will send inventory control check report to SSOs and managers upon completion. Managers will be responsible for following up with employees on any drives not accounted for in the inventory control checks. The Security Officer will also maintain inventory control check reports in an electronic location accessible by SSOs and Managers.

6.7 Upon leaving position due to transfer or termination, staff member will turn in drive to their manager. The manager will set up a meeting with the employee and SSO to wipe the drive and change the password so the drive does not self-destruct. Managers are responsible for ensuring drives are returned in good working order before departing staff leave.

6.8 SSOs will use a uniform password when setting or resetting passwords for drives. Passwords will be reset upon assignment to staff members.

6.9 SSOs will assist staff members in resetting passwords and configuring drives upon assignment. Drives must always be configured to wipe – not self-destruct – upon repeated entry of incorrect passwords.

6.10 SSOs will update the tracking log with the date the drive was turned in and return drive to locked storage.

6.11 Any contingencies related to the use of encrypted USB flash drives not addressed in this policy will be referred to the Section security officer for review.

7.0 Revision History

Date Action Section
9/17/2019 New policy -