Flash Drive Standard

IOT has adopted a standard encrypted drive for agencies to use (available through the Computers (all) & Peripherals QPA) and has requested that IDOA restrict purchases of all non-standard devices.

Reason for Standard
Flash drives are capable of holding immense amounts of data.  They are also easily lost or stolen.  Combining these two factors can lead to some very bad outcomes, specifically a security breach.   This standard ensures that any agency, using the State standard, will not have to worry about a security breach due to loss or theft. 

Why choose hardware encryption versus software encryption or regular flash drives?
When data is encrypted through hardware encrypted flash drives, as it is on the devices established as the State standard, the data is deemed to be secure even if the device is lost or stolen.  The State standard uses hardware encryption instead of software encryption.  Both means of encryption are strong.  However, hardware encryption eliminates more risk by minimizing the opportunities for human error associated with software encryption.  Though software encrypted drives initially might appear to have a cost advantage, setup and training costs can push their cost higher. 

Why is the Standard more expensive?
Hardware encrypted flash drives are more expensive.  However, the State negotiated an excellent price for the devices set as the standard.  Comparisons to similarly capable hardware encrypted drives will demonstrate this point.  The security provided is well worth the difference.  The cost difference between a hardware encrypted drive and others is relatively small when spread over the expected life of the device.  The additional costs incurred by all agencies combined could easily be offset if only one security breach is avoided. 

What if I have staff members that need flash drives but don’t work with confidential information?
That may be the case initially.  But flash drives tend to change hands frequently and thus managing them can be difficult.  At some point it is possible that the flash drive could contain confidential information.  That is likely to be the time when you need the protection.

The cost may be affordable for an entry level 1GB drive but it is harder to afford the larger drives.  What should I do?
Take a hard look at the use of the drive.  While home users might need more capacity to store video and mp3 files that type of data is only rarely required for State business.  1GB should be more than enough for most State business functions especially if the data on the drive is managed appropriately. 

Should we stop using our current flash drive inventory?
Budget circumstances are tight and given the flash drive inventories at some agencies such a requirement would be negatively impactful.  However, if agencies know that a flash drive(s) is being used to store sensitive or confidential information, they should get the State standard as a replacement immediately.  Otherwise, they should carefully manage the legacy flash drives to ensure their loss does not result in a security breach. 

With the hardware encrypted drives I don’t really need to manage their use or the data stored on them since the risk of a breach is eliminated?
Good management of data is always important.  Agencies should only grudgingly allow the creation of additional instances of any information.  Each instance of the data should be removed from the protections of the network only due to a business need that is not accomplished through another means.  If it is taken off the network it must be encrypted.  Also, the flash drive, because of its purpose, capability, and cost, is an asset that should be assigned and tracked just like laptops and cell phones.