Encrypting sensitive information increases the university's ability to comply with legislation, regulation, contractual obligations, expectations of our constituents and the community at large. and reduces the risk of a data security breach.

Encryption of sensitive information maintained on or transmitted by computing devices is mandatory. It is the responsibility of each user to ensure encryption for all University related data not hosted on University enterprise systems. Encryption of data hosted on enterprise systems is the responsibility of IT personnel.

Administrative Standards

• Computing devices and storage media
   All computing devices and storage media (includes portable and remote devices) used to store, process or transmit sensitive information must use encryption. Full disk encryption technology is the recommended method if full disk encryption is supported on your device or media. If not, at a minimum, all sensitive data fields, files or storage partitions must be encrypted. Implementation of safeguards for devices used for media in transit to off-site locations is required.
• Where technically possible, all computing devices purchased with university funds/owned by the university  must adhere to university technology requirements, which include the utilization of a supported form of whole-disk encryption. The university policy exception process must be followed for devices not meeting this requirement.

Note: Personal devices must not be used for sensitive information unless the device is configured to comply with these standards.

  See ISO-012 Workstation and Computing Devices and ISO-013 Server Computing Devices

• Data Backups
   All data backups should be encrypted and password protected. Backup’s containing sensitive data must be encrypted. Exceptions may be permitted if the backup is  shown to be stored in a location with substantial physical security and barriers to entry. Note: Backups containing electronic protected health information (ePHI) must be encrypted. Encryption is mandatory for all backups held in the  custody of a third party (non-UofL personnel). See ISO-015 Backup of Data, ISO-002 Business Continuity and Disaster Recovery.
• Transmission of data via e-mail, web access and other means
   If sensitive information is transmitted over any network other than the University's internal network, the data or the transmission protocol must be encrypted. See ISO-010 Network Service.
• Connecting to university and affiliated computing resources from outside the university network
   All connections to these resources (servers, personal computing devices, networking equipment, etc.) must be via a secure and/or encrypted connection such as a VPN, secure HTTP, secure FTP, SSH or other secure and/or encrypted method. See ISO-010 Network Service.

Technical Standards

• Acceptable Encryption Technologies 
   Encryption of sensitive information is mandatory. All users are strongly encouraged to use encryption solutions that have been tested and approved by Information Technology. Native encryption solutions such as Bitlocker for Windows PC’s and FileVault for Macs are recommended. The university’s encryption client provides synchronization with AD, automatic client updates, and password recovery assistance. This client can be utilized alongside the device’s native encryption. University approved encryption software is provided on the university's iTech Xpress web site (login required).
  • Microsoft windows encryption is supported on most all hardware. Non-compatible hardware includes RAID and SCSI device machines and machines configured for dual or multi-boot operation. Please see IT's encryption support information.  If your machine contains sensitive information and also has RAID or SCSI devices or is set-up for dual/multi-boot operation or is otherwise not compatible please contact Information Technology to discuss alternative methods for safeguarding sensitive information.
  • Apple MacIntosh users should use the built in encryption software native to OS X.
  • Smart phone or mobile device users should use the encryption software provided by the device manufacturer or supporting vendor.
• Cryptographic Controls
  • Cryptographic controls must conform to the university and regulatory cryptographic technology standards, be used only for the intended purpose to protect sensitive data in transit and at rest and in accordance with all relevant laws regulations and agreements.
  • Cryptographic systems, including key management, must be secure and recoverable; reviewed and approved by an authorized university official prior to implementation.
    • Keys should be secured and where possible, centrally managed.
    • A key management process should be created, documented and address ownership, authorization, recovery, security, destruction, logging/revoking and distribution.

1 - Sensitive information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, confidential or proprietary research data, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. See Information Management and Classification Standard.

2 - Computing Devices: Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, mobile devices, email/messaging devices, cell phones, removable hard drives, flash or "thumb" drives, etc. all hereafter referred to as "computing devices".

3 - Enterprise Systems: Server class computing systems physically maintained in the University's computing center by the Information Technology Department which features multiple layers of physical security and access control, back-up power, climate control, fire suppression, data back-up and disaster recovery plans, etc. Only a few computing centers elsewhere fit the enterprise systems category. Servers and computers located in offices, data closets and other areas that do not have the features and dedicated staffing of one of these data centers do not fit the enterprise systems criteria. See Technical Standards section of this document for compatibility of devices with recommended software and alternative recommendations.

Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.