Information Security Office
UT Arlington Computing Device Encryption Requirements
ln June, 2007, The University of Texas System adopted as policy, Security Practice Bulletin #1 (SPB-1) "Encryption Practices for Storage of Confidential University Data on Portable and Non-University Owned Computing Devices". The policy establishes a UT System-wide encryption requirement in the event that confidential University data are to be stored on portable computing devices (including laptops) or non-University Owned Computing devices.
In June, 2012, the Executive Vice Chancellor sent a memo to all the Presidents of The UT System Academic Institutions requiring the encryption of all University Laptop Computers as well as personally owned computers containing University confidential information. A detailed FAQ accompanied the laptop encryption mandate memo.
In May, 2013, a memo was sent to all of the Presidents of academic institutions requiring the encryption of high-risk desktop computers and all new computers purchased after September 1, 2013. A detailed FAQ accompanied the desktop encryption mandate memo as well.
- Always make sure that all confidential and controlled information is stored and maintained securely using methods approved by the Information Security Office, including encryption, access control and anti-malware software.
- Always back up your data to approved encrypted storage or network drives. This is even more essential with encrypted hard drives as data recovery is made more difficult, especially when there is a mechanical or electronic problem with the drive.
Encryption Requirement for University Owned Computing Devices
Consistent with UT System mandates and requirements, all UT Arlington owned computers (following the criteria below) require managed full disk encryption.
- All University owned laptops.
- All high-risk desktop computers (desktops containing confidential or controlled information).
- All computers (irrespective of form factor) purchased on or after September 1, 2013.
- All portable devices containing confidential or controlled information.
Requirement for Managed Full Disk Encryption
Managed full disk encryption software is required in order to ensure consistency in encryption methods, compliance reporting and to provide security and availability of encryption keys. Requirements include, but not limited to ensuring that encryption:
- Keys are properly and securely escrowed in order to esure that data on encrypted computers available.
- Continues to be enabled; this is critical to ensuring that the systems are protected in the event of theft or loss.
- Restricts access to the data to those with a legitimate need to know and follow least privilage principles.
- Strength is sufficient to protect the system.
- Methods are appropriate and sufficient to protect the system.
Requirements for Encryption Compliance Reporting
In order to maintain compliance to the full disk encryption policy, the following requirements need to be met:
- All University owned computers, irrespective of purchase value, require asset tags issued by the Property Management Office.
- All University owned computers must follow the University's standard computer naming convention that includes the asset tag number.
- Encryption management software and configuration must be approved by the Information Security Office.
- Unless an exception has been approved, managed full disk encryption software must be installed and configured to automatically verify encryption status.
- Encryption status must be verified at least every 120 days.
Encryption Requirements for Personal or Non-University Owned Computing Devices
UT System has provided guidance on the encryption requirements for personally owned computers
Neither UT System nor the University requires staff or faculty to use personal devices to conduct University Business; and faculty and staff are encouraged not to do so. However, if faculty or staff choose to use a personal computer to conduct University business, they are responsible for ensuring that the security and integrity of the data are maintained in accordance with System security requirements. This includes the requirement to ensure that the device is encrypted pursuant to the University requirements. These requirements apply to all University data, regardless of whether the data is confidential by law or information that would be available under the Texas Public Information Act.
Consistent with UTS 165 (11.3.3) and UTS Practice Bulletin 1, unless otherwise required by federal or state law or regulation, confidential or controlled information must not be stored on non-university owned computing devices, such as personally owned computers or other electronic devices (e.g., laptop, desktop, tablet, smart phone, flash drives, or other portable or handheld computing devices) unless, it is secured against unauthorized access in accordance with UT System and UT Arlington policy.
Permission to store confidential or controlled UT Arlington information or data on personal devices must be granted by the owner of the data and approved by the respective department head as well as dean or vice president. Additionally, the method of encryption must be approved by the Information Security Office.
Frequently Asked Questions
1. What is Encryption?
Encryption can be described as the "locking" (scrambling or encoding) of data in a format that cannot be easily deciphered by individuals who don't have the key to unlock it. Encryption provides safe harbor in most situations as it prevents unauthorized access to the data; computers or files that are properly encrypted with a key that is kept securely are effectively useless in the hands of an unauthorized user.
2. What is “safe harbor”?
Safe harbor, in the context of encrypted computers that do not have a compromised key, means that the data stored on the devices is considered inaccessible to unauthorized access, and therefore considered secure from any misuse if the computer is lost or stolen.
3. What is full disk encryption?
Full disk encryption is where the entire storage space on a computing device is encrypted.
4. What is managed encryption?
Managed encryption provides centralized compliance reporting and key escrow. The encryption software communicates with a centralized server to provide information about the encrypted state of the computer, provides a copy of the key to it, and sends or receives configuration information. Centralized compliance reporting helps provide Executive Management and UT System some assurance that computing devices are encrypted and remain encrypted.
5. What is key escrow?
Key escrow is whereby the key used to unlock or decrypt data is stored in a secure location and is available to the institution in the event that the owner of the system cannot provide it. This is essential for recovering data in the event of hard drive failure, or in the event that data needs to be accessed in response to a litigation hold, subpoena or open records request.
6. How do I obtain an exception to the encryption requirement?
Exemption requests apply to desktops and laptop computers, mobile devices that are University owned, as well as personally owned devices that contain University information that meet requirements for encryption.
Exemptions will be rare and only allowed under circumstances that pose extremely low risk, or for unique circumstances where encryption is not viable due to technical reasons, and are evaluated on a case by case basis by the Information Security Office (ISO). To request an exception, complete the “Computing Device Encryption Exception Request (Form 18-1)” form located at https://www.uta.edu/policy/form/18-1. Fax or scan and email the completed form to 817-272-2612 or firstname.lastname@example.org, respectively.
Handwritten requests will not be accepted. The ISO will notify your department with approval/disapproval status. Where an exception is denied, the President or his designee may accept the decision of the ISO, override the decision, or request additional information or actions to be taken in order to reach final decision.
7. How do I encrypt my University owned computer?
Always backup your data to approved encrypted storage or network drives before you attempt encryption.
The managed whole disk encryption software currently approved by the ISO, and fully supported by OIT, is WinMagic’s SecureDoc. All devices that are purchased must have operating systems hardware that can support SecureDoc. SecureDoc supports Windows, Mac OS X and Linux (using OS agnostic version). It also supports, OS X Filevault and OPAL Compliant Self Encrypted Drives (SEDs). It will soon support native Bitlocker encryption. It fully supports key escrow and both ISO and OIT staff are trained to troubleshoot the software and to recover data using the escrowed key.
The SecureDoc installation process typically takes about 10 minutes while the encryption process on the laptop itself can take several hours (6-48 depending on the size of the hard drive). Users will still be able to work while the hard drive(s) encrypt with little to no impact on machine performance.
Starting September 1, 2013, all new computers purchased by the institution will need to be encrypted before being deployed. By way of established process, all newly purchased computers are delivered to the Office of Information Technology (OIT) for encryption. OIT will also ensure that supported University operating systems and security software are also installed. OIT has technical staff available to assist with encrypting University owned computers that happen to be delivered directly to departments. To request encryption, contact OIT by email at email@example.com, or by calling x2-2208.
You may also perform the encryption installation yourself from the downloads page located at http://www.uta.edu/oit/cs/software/downloads.php. Familiarize yourself with the “More Information” sections for the appropriate operating system, Windows or Mac, prior to attempting the installation.
8. Do I need to encrypt my Personally owned computer?
If you store confidential (Category I) or controlled (Category II) data on your personally owned computer, you are required to encrypt it. For more infomation see the Information Security Office Personal Full Disk Encryption page.
9. How do I maintain compliance?
Compliance can be maintained by having the computing devices check in with the SecureDoc server at least once every 4 months. For instructions on how to accomplish this, please visit http://www.uta.edu/security/encryption/securedoc/sdcommunication.php.