The standard says Restricted Data. Why do I have to comply? What does this mean to me?
The standard says any device that stores restricted data prior to August 17, 2013 must be encrypted, but after August 17th, all devices must be encrypted. Here is the quoted text:
“All laptops and portable personal computers storing restricted data must utilize whole disk encryption. In addition, any laptops and portable personal computers purchased after August 17, 2011 must utilize whole disk encryption. All other laptops and portable personal computers shall have whole disk encryption installed by August 17, 2013.”
Simply stated, if a mobile device accesses or stores UF data, it must be encrypted.
Who is responsible for complying with this? What happens if I don’t comply with this policy?
The mobile device custodian is responsible for complying with this policy. CLAS IT, and local department IT units, will facilitate encrypting UF owned mobile devices. Personally owned devices can be taken to the UF Computing Help Desk where a technician will encrypt the device for a nominal charge.
Please be aware of the UF Regulation, “Policies on Information Technology and Information Security,” which states:
“Failure to follow University’s IT and Information Security Policies may result in penalties and disciplinary action, including but not limited to termination of employment or student expulsion, revocation of user access or other legal sanctions..”
If I take an encrypted computer to an export controlled country, am I in violation of federal law?
In 2010 there were changes to the EAR regulations, which cover cryptography and encryption. As a result of those changes, as long as a person is not traveling to Cuba, Iran, North Korea, Sudan, and Syria and the device remains in the possession of a staff/faculty member, they are not breaking federal law.
Additional questions should be addressed to the UF General Counsels office or the International Center.
If you are unable to encrypt your laptop by yourself, then the primary source of help should be the UF Computing Help Desk. They will charge a nominal fee of $40 for this service. You should perform a complete system backup of your laptop before bringing it in to the help desk.
If you decide to encrypt the device yourself, the important thing is to follow the standard – all mobile devices that access UF data are encrypted, verified, and can be unencrypted using a centrally stored recovery key.
Unfortunately, because of the variability with the different distros of Linux, we are unable to offer assistance or suggestions.
What about smartphones and tablets?
Smartphones and tablets are not exempted from this policy, and must also be encrypted
iOS (iPhone/iPad) are already encrypted from the factory.
Android phones running 3.0 and later can have encryption enabled via the OS. Please see http://www.networkworld.com/article/2689371/opensource-subnet/how-to-encrypt-an-android-device-in-5-steps.html.
Windows 8 can have encryption enabled via Bitlocker. Please see http://msdn.microsoft.com/en-us/library/windows/apps/hh487164%28v=vs.105%29.aspx.
What prep work will I need to do before I encrypt my device?
Please make sure to do a complete backup of your device prior to encrypting it. If you are having your device encrypted by a third party service provider, please be sure to make the backup prior to bringing the device to them.
What is the purpose of the Mobile Computing and Storage Devices Policy?
The purpose is to protect the University of Florida in the event of theft/lost mobile devices.
Does this policy include my computer at home?
No. There currently is no requirement to encrypt desktop computers.
What about portable storage devices, such as external hard drives?
Portable devices, such as external hard drives and USB memory sticks, must be encrypted per the standard. There is an allowable exception in the event that encrypting the portable device would interfere with the function, and that there is no restricted data on the device. Please see the standard, under “1 Encryption of Data” item #D.
As of October 2014, we strongly recommend the Kingston Technologies 16gb DataTraveler Locker+G3 USB Thumb Drive, which can be purchased from Amazon for less than $20.
What is restricted data? What is sensitive data?
Restricted data is data that is protected by contract or law, examples include FERPA data (student records), social security numbers, and credit card numbers.Sensitive data are items that can be disclosed under a Sunshine Law (FOIA) request, but are typically not normally published for public consumption – for example, network topology maps and the president’s meeting schedule.
Why are you just bringing this to me now?
The policy has existed for a couple of years now, and was brought forth before the UF Faculty Senate for approval, and a DDD memo was published in 2011. CLAS IT has announced it to computer contacts for the past two years in both public forums and in email. There is nothing new in the policy.
Who should I contact if I have questions concerning the Mobile Computing and Storage Devices Policy?
UF Office of Information Security and Compliance (firstname.lastname@example.org)
UF Office of the General Counsel (www.generalcounsel.ufl.edu)
The UF Computing Help Desk (email@example.com, 352-392-HELP).
UF Human Resources (hr.ufl.edu, 352-392-2477).
Revised: October 1, 2014