|| OFFICIAL |
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates
Encryption of Data
March 1, 2010
Encryption of sensitive information maintained on or transmitted by computing devices is mandatory. It is the responsibility of each user to ensure encryption for all University related data not hosted on University enterprise systems. Encryption of data hosted on enterprise systems is the responsibility of IT personnel.
REASON FOR POLICY
Encrypting sensitive information increases the university's ability to comply with legislation, regulation, contractual obligations, expectations of our constituents and the community at large and reduces the risk of a data security breach.
Computing devices and storage media
All computing devices and storage media (includes portable and remote devices) used to store, process or transmit sensitive information must use encryption. Full disk encryption technology is the recommended method if full disk encryption is supported on your device or media. If not, at a minimum, all sensitive data fields, files or storage partitions must be encrypted. Implementation of safeguards or devices used for media in transit to off-site locations is required.
Where technically possible, all computing devices purchased with university funds/owned by the university must adhere to university technology requirements, which include the utilization of a supported form of whole-disk encryption. The university policy exception process must be followed for devices not meeting this requirement.
ISO-012 Workstation and Computing Devices and ISO-013 Server Computing Devices
Note: Personal devices must not be used for sensitive information unless the device is configured to comply with these standards.
All data backups should be encrypted and password protected. Backup's containing sensitive data must be encrypted. Exceptions may be permitted if hte backup is shown to be stored in a location with substantial physical security and barriers to entry. Note: Backups containing electronic protected health information (ePHI) must be encrypted. Encryption is mandatory for all backups held in the custody of a third party (non-UofL personnel). See ISO-015 Backup of Data, ISO-002 Business Continuity and Disaster Recovery.
Transmission of data via e-mail, web access and other means
If sensitive information is transmitted over any network other than the University's internal network, the data or the transmission protocol must be encrypted. See ISO-010 Network Service.
Connecting to university and affiliated computing resources from outside the university network
All connections to these resources (servers, personal computing devices, networking equipment, etc.) must be via a secure and/or encrypted connection such as a VPN, secure HTTP, secure FTP, SSH or other secure and/or encrypted method. See ISO-010 Network Service.
Acceptable Encryption Technologies
Encryption of sensitive information is mandatory. All users are strongly encouraged to use the encryption solutions that have been tested and approved by Information Technology. Native encryption solutions such as BitLocker for Windows PC's or FileVault for Macs are recommended. The university’s encryption client provides synchronization with AD, automatic client updates, and password recovery assistance. This client can be utilized alongside the device’s native encryption. University approved encryption software is provided on the university's iTech Xpress web site (login required).
Microsoft windows encryption is supported on most all hardware. Non-compatible hardware includes RAID and SCSI device machines and machines configured for dual or multi-boot operation. Please see IT's encryption support information. If your machine contains sensitive information and also has RAID or SCSI devices or is set-up for dual/multi-boot operation or is otherwise not compatible please contact Information Technology to discuss alternative methods for safeguarding sensitive information.
Apple MacIntosh users should use the built in encryption software native to OS X.
Smart phone or mobile device users should use the encryption software provided by the device manufacturer or supporting vendor.
Cryptographic controls must conform to the university and regulatory cryptographic technology standards, be used only for the intended purpose to protect sensitive data in transit and at rest and in accordance with all relevant laws regulations and agreements.
Cryptographic systems, including key management, must be secure and recoverable; reviewed and approved by an authorized university official prior to implementation.
Keys should be secured and where possible, centrally managed.
A key management process should be created, documented and address ownership, authorization, recovery, security, destruction, logging/revoking and distribution
1 - Sensitive information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, confidential or proprietary research data, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. See Information Management and Classification Standard.
2 - Computing Devices: Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, mobile devices, email/messaging devices, cell phones, removable hard drives, flash or "thumb" drives, etc. all hereafter referred to as "computing devices".
3 - Enterprise Systems: Server class computing systems physically maintained in the University's computing center by the Information Technology Department which features multiple layers of physical security and access control, back-up power, climate control, fire suppression, data back-up and disaster recovery plans, etc. Only a few computing centers elsewhere fit the enterprise systems category. Servers and computers located in offices, data closets and other areas that do not have the features and dedicated staffing of one of these data centers do not fit the enterprise systems criteria. See Technical Standards section of this document for compatibility of devices with recommended software and alternative recommendations.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved January 25, 2010 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / February 12, 2010 / Original Publication
1.1 / March 2, 2010 / Clarification of central IT support
1.2 / March 17, 2010/ Replaced "grant reviews" with "confidential or proprietary research data". Clarification of non-compatible devices to specifically include RAID, SCSI and dual/multi-boot platforms.
1.3 / January 29, 2013 / Content Update
1.4 / September 24, 2014 / Content Review
2.0 / March 8, 2016 / Content review/update and update to template format
2.1 / June 15, 2017 / Content review/update to include refrence to encryption of university purchased/owned devices per EIT standard 2016
2.1 / August 14, 2018 / Content review/grammar and punctuation updates
Reviewed Date(s): September 24, 2014, March 8, 2016, June 15, 2017; August 14, 2018
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.