OIS 10 – Standard for Data Encryption
I. STANDARD STATEMENT
Data encryption is a process of securing computer files by instituting safeguards that make the files unreadable to everyone except for the holder of the encryption key. Data encryption is required on all laptops owned by UTSA.
This standard supports HOP Policy 8-12 Information Resources Use and Security Policy
This standard applies to all UTSA faculty, staff, and students.
If you have any questions about OIS 10 – Standard for Data Encryption contact the following office:
The Office of Information Security
1. Encrypting UTSA-owned Desktops.
- All High Risk Desktop Computers owned, leased, or controlled by the University must be Passphrase protected and encrypted using methods approved by the Institution’s Information Security Officer.
- All desktop computers purchased after September 1, 2013 must be Password protected and encrypted using methods approved by the Institution’s Information Security Officer before their deployment.
2. Encrypting UTSA Laptop Computers and Other Mobile Devices.
- All laptop computers and other mobile devices, including but not limited to mobile and smart phones, and tablet computers that are owned, leased, or controlled by the University, must be encrypted using methods approved by the Institution’s Information Security Officer.
- USB thumb drives and similar removable storage devices owned, leased, or controlled by the University must be encrypted before storage of any Confidential University Data on the device.
3. What is “Sensitive Data”?
The UTSA Office of Information Security has developed the Data Classification Standard to help you determine the sensitivity of your data. While whole disk encryption is required for all laptops, encryption and passwords are recommended for all portable devices to ensure your data is secure.
4. Encryption for Personally-owned Computers
A personal owned computer must be encrypted if it contains any of the following types of University information.
- Information made confidential by federal or state law, regulation, or other legal agreement. This includes, but is not limited to, data protected by FERPA, HIPAA, the Texas Public Information Act, and the
Texas breach reporting law (Business &Commerce Code Section 521.002(a)(2)).
Examples: education records, patient medical treatment and payment records, Social Security Numbers, credit card numbers.
- Federal, state, university, or privately sponsored research that requires confidentiality or is deemed sensitive by the funding entity.
- Any other information which has been deemed by the UT System or a UT System institution as essential to the mission or operations of System to the extent that its integrity and security should be maintained at all times.
5. “University information” means all recorded information created or received by or on behalf of the University (or System) that documents activities in the conduct of state business or the use of public resources. This includes all information generated by a University employee in the course of performing his or her duties regardless of whether it was created and/or located on a personal device owned by the employee.
6. Encrypted Portable Devices
There may be occasions when you need to transport sensitive data. Because of the risk of exposure, this data must be encrypted.
Effective Date: January 1, 2014
Last Revised: March 24, 2020