We strongly recommend using ITS-Managed services to implement IT controls specific to your sensitive data requirements.  The guidelines outlined in this webpage are for researchers who have elected to use ITS-Managed services to safeguard export-controlled data. If you choose not to use ITS-Managed services, you will be responsible for ensuring that the requirements listed in the Safeguarding Export-Controlled Technical Data for System Administrators article are met, as well as the requirements listed on this webpage should your contract require this level of security.
 

Access Controls

  • Do not access export-controlled information from shared, public computers such as kiosk-type computers in libraries, hotels, and business centers, or from computers that have no local access control.

  • Do not post export-controlled information on public websites or websites that rely solely on IP addresses for access control.  Instead, secure access using individually-assigned accounts requiring username/password, user certificates, or other user-specific authentication methods.

  • Protect export-controlled information by at least one physical and one logical barrier (e.g. locked container or room and login and password) when not under direct individual control.

  • Only persons listed in the TCP should have access to the Export-Controlled data.
     

System Management

  • User-managed devices (as specified in the IT Security Plan) must also adhere to the guidelines and must be available as needed or on schedules to OneIT staff for log analysis/offload, patch assurance, and system vetting.
     

Transmission of ITAR covered data

  • Do not transmit or email Controlled Information unencrypted. An alternative to email is to put the files in a secure location (e.g. SFTP site) and send an authenticated link in a message to whomever needs access to the file (as specified in the TCP).

  • Wireless network access to Controlled Information must be encrypted using, e.g., WPA2 Enterprise wireless network encryption (Eduroam) or VPN (vpn.uiowa.edu).

  • Transfer controlled information only to subcontractors and collaborators listed in the TCP.
     

*Please note, before sharing export-controlled data, please contact the Export Control staff.  Export Control will review the contractual language to ensure sharing is allowed.
 

Laptops

  • The data must be stored on a University-owned and managed single-user laptop device using whole disk encryption (e.g. FileVault2 for Mac, BitLocker for Windows, LUKS for Linux) with a unique decryption passphrase known only to the device's authorized primary user.

*For more detailed information about using laptops for Export-Controlled data, please refer to the Laptop section of Safeguarding Export-Controlled Technical Data for System Administrators.
 

Storing ITAR covered data

  • Export-controlled data is stored only on devices listed in the IT Security Plan.

  • If the export-controlled data cannot be encrypted at rest using an electronic barrier, a physical barrier must be implemented (e.g. locked rack, storage safe, etc.).
     

Please visit DSP Export Control webpage or reach out to export-control@uiowa.edu for more information on Export Control regulations. Questions about technical implementations that support ITAR/EAR compliance can be sent to ITS-TechCompliance@uiowa.edu.

Article number: 
110251
Last updated: 
October 5, 2017