Last summer the Iowa Regents institutions were charged to implement a mobile encryption program and policy that began with a comprehensive effort to encrypt all internal storage in mobile devices, including laptops and tablets. Through a coordinated institution-wide effort the University of Iowa accomplished the task of activating managed whole disk encryption on over 5,500 university mobile computing devices.
The UI is now turning its attention to the remainder of the Regents’ charge, encrypting portable storage devices. Considerable time was spent developing the strategy, reaching consensus with the other universities, and then negotiating our proposal with the Office of the Auditor of State. To summarize, efforts will be focused on areas of the university that pose a higher risk for sensitive data breach due to the information that is routinely handled. Similar practices are recommended elsewhere, for individuals or areas that also pose a heightened risk.
Selected university departments (HR, Business Office, Purchasing/AP/Travel, Admissions, Registrar and Financial Aid) have been identified as routine handlers of highly sensitive (Level III) information, and their leadership has been contacted individually. Level III information is typically protected by regulations, state law, privacy norms, security standards, or is data that poses significant risk of harm to an individual if exposed inappropriately.
For the departments identified above, the following controls will be implemented:
- All client (end-user) computers will utilize whole disk encryption, including desktops.
- All client computers will have a policy/configuration implemented that prevents executing programs from, and writing institutional data to, portable storage devices (e.g., USB flash drives). Reading files from portable storage devices will continue to be enabled for everyone.
- Users are advised to use storage options other than portable storage devices to meet their external, transportable storage needs. For instance, OneDrive is accessible from any device that has a network connection, and is the UI’s preferred storage platform for users. It can be used to share files, transfer them, or access them from a location other than one’s workstation or laptop; such as from home, or while traveling.
- Users with a business requirement to write/copy institutional data onto a portable storage device will need an exception authorized by department leadership. Once granted, their computer will be configured so that the ability to write files onto portable storage is enabled. Users will be responsible to ensure that sensitive institutional data is only written onto portable storage devices that are encrypted.
All university departments will be offered these protections as a recommended practice, and new end-user computers will be encrypted going forward. However, our priority is on departments in which all or most employees routinely handle Level III data. If you are interested in having your area follow the practices above, please discuss it with your local IT support staff, or contact the Enterprise Client Management group (firstname.lastname@example.org).
In all cases, your department IT support staff would be responsible for the implementation of the protections described above, and to work with leadership to answer questions about the process. For more information about encryption, see http://its.uiowa.edu/encryption