• DSHS HIV/STD Program

    Post Office Box 149347, MC 1873
    Austin, Texas 78714

    Phone: 737-255-4300

    Email the HIV/STD Program

    Email HIV, STD, Hepatitis C, and TB data requests to the Program – This email can be used to request data and statistics on HIV, STDs, Hepatitis C, and TB in Texas. It cannot be used to get treatment or infection history for individuals, or to request information on programs and services. Please do not include any personal, identifying health information in your email such as HIV status, Date of Birth, Social Security Number, etc.

    For treatment/testing history, please contact your local health department.

    For information on HIV testing and services available to persons living with HIV, please contact your local HIV services organization.

2019.02

Encrypted USB Flash Drive Assignment

Policy
Policy Number  2019.02
Effective Date  September 17, 2019
Revision Date 
Subject Matter Expert Section Security Officer
Approval Authority  TB/HIV/STD Section Director
Signed by Felipe Rocha, M.S.S.W.

1.0 Purpose

To establish a centralized procedure for requesting, assigning, and tracking encrypted USB flash drives to staff. 

 

2.0 Policy

It is the policy of the TB/HIV/STD Section (Section) at the Texas Department of State Health Services (DSHS) that all encrypted USB flash drives approved for staff use by HHSC IT will be requested, assigned, and tracked using a consistent procedure to ensure that the drives are not lost or stolen. This procedure applies to any encrypted USB flash drive used by Section staff, which includes Iron Key, Kangaru and other flash drives. Only agency-issued/approved encrypted USB flash drives can be used on agency-owned equipment per Section Procedure 2016.01 TB/HIV/STD Section Confidential Information Security Procedures.

 

3.0 Definitions


Encryption – The process of converting information or data into a code for the purpose of preventing unauthorized access.

Flash drive – A data storage device that includes flash memory with an integrated USB interface. 

USB – Universal Serial Bus

  

4.0 Persons Affected

All DSHS TB/HIV/STD Section staff

 

5.0 Responsibilities

Staff Services Officer (SSO): Section and Branch Staff Service Officers (SSOs) manage inventory of encrypted USB flash drives for the Section. They maintain a tracking document for keeping track of who has an encrypted USB drive. They assure that each flash drive assigned to staff is recorded as assigned to the specific staff and if there is a serial number that this number is recorded as well. Ensures that password is reset to a uniform password when drives are returned by terminating/transferring staff and configures drives to wipe – not self-destruct – upon repeated entry of incorrect password. Assists staff in setting up new passwords and configuring drives upon assignment. Stores encrypted USB flash drives that are not in use by staff in locked storage.

Manager: Approves requests for encrypted USB flash drive check out. Also responsible for returning encrypted USB flash drives to SSO when employee separates from current position.

TB/HIV/STD Section Security Officer: Performs routine inventory audits to verify staff continue to maintain possession of encrypted USB flash drives (annually and as security events warrant). Reviews contingencies related to the use of encrypted USB flash drives not covered in policy.

Section Staff: Requests encrypted flash drive by sending an email request to manager. Maintains assigned encrypted USB flash drives in good working order. Immediately reports loss or theft of assigned drives to manager, SSO, and security officer. Returns assigned drives to manager and meets with SSO to reset password upon separation from position. 

 

6.0 Procedures

6.1 Section Staff member will request an encrypted USB flash drive through their manager via email. The request should include the employee identification number, job title, business justification for drive, and whether the drive will be needed for a defined short-term period of time or indefinitely.

6.2 Upon approval, manager will forward email to designated SSO.

6.3 SSO will distribute encrypted USB flash drive to employee and update tracking log with employee name, serial number of device, and date checked out. The tracking log will be maintained in an electronic location accessible by SSOs and managers only:

6.4 Section Security Officer will perform inventory control checks and verify staff members have possession of the encrypted USB flash drive assigned to them. A routine inventory check of all assigned drives will be performed once a year. More frequent spot checks of assigned drives will be performed as security needs warrant.

6.5 The Section Security Officer will complete a report to document the inventory control check. At a minimum, the report should include the security officer’s name, date of check, name of staff member with encrypted USB flash drive, confirmation of the correct (originally assigned) serial number on the device, and any notes or concerns.

6.6 The Security Officer will send inventory control check report to SSOs and managers upon completion. Managers will be responsible for following up with employees on any drives not accounted for in the inventory control checks. The Security Officer will also maintain inventory control check reports in an electronic location accessible by SSOs and Managers.

6.7 Upon leaving position due to transfer or termination, staff member will turn in drive to their manager. The manager will set up a meeting with the employee and SSO to wipe the drive and change the password so the drive does not self-destruct. Managers are responsible for ensuring drives are returned in good working order before departing staff leave.

6.8 SSOs will use a uniform password when setting or resetting passwords for drives. Passwords will be reset upon assignment to staff members.

6.9 SSOs will assist staff members in resetting passwords and configuring drives upon assignment. Drives must always be configured to wipe – not self-destruct – upon repeated entry of incorrect passwords.

6.10 SSOs will update the tracking log with the date the drive was turned in and return drive to locked storage.

6.11 Any contingencies related to the use of encrypted USB flash drives not addressed in this policy will be referred to the Section security officer for review.

 

7.0 Revision History

Date Action Section
Revision History
9/17/2019 New policy -

 


Last updated June 15, 2020