Responsible Office: Office of Cybersecurity	Last Review: 03/01/2023 Next Review: 03/01/2025
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To outline encryption requirements for all personally owned and UTHSC owned and managed mobile computing and storage devices. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

All mobile computing and storage devices, appliances, laptops, tablets, smart- phones, peripherals etc. regardless of device ownership accessing, storing, transmitting UTHSC data or information with a level 3 classification rating per GP- 002-Data & System Classification.

Definitions

Personal Device – any device that is not purchased or owned by UTHSC. UTHSC IT Resource – Any data, device, or other component of the information environment that supports information-related activities. Assets generally include hardware (e.g., endpoint devices), software (e.g. critical applications and support systems) and information.

Responsibilities

Data Owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management. They assign data classification based on the data’s potential impact level and determines if data access is allowed.

Information Technology Services (ITS) is responsible for the deployment of the technical controls to manage personal devices on the UTHSC network.

The Office of Cybersecurity is responsible for establishing security controls and procedures to protect UTHSC intellectual property and data. Classification of data is per GP-002-Data & System Classification. The security of the data is based on GP- 005-Data Security.

Owner of personal device must abide by this practice and all University standards and practices while using their personal device on the UTHSC network.

System Owner is responsible for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system.

UTHSC Chancellor/Executive Leadership defines the allowance for the use of personal devices on the UTHSC network.

Practice

1. UTHSC data or information with a level 3 classification rating must be protected by encryption during transmission over any wireless network and any non-UTHSC network.
2. All mobile devices deployed after October 1, 2017 through ITS CTS (Customer Technology Services) must be encrypted.
3. Regardless of device ownership, as of January 1, 2016, UTHSC data or information with a level 3 classification rating stored on mobile computing and/or portable storage devices must be encrypted.
4. All persistent storage within any and all mobile computing devices used within UTHSC must meet the following encryption standards:
   1. The encryption passphrase will meet or exceed password strength requirements per AC-002.02-Password Management and Complexity. The following exception applies:
      1. Small portable computing devices where keyboard entry is cumbersome (e.g. smart phones) may use reduced password strength and complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
   2. The encryption mechanism includes a management component that provides key recovery and proof that the device is encrypted.
   3. The encryption and key management methods used must have the approval of UTHSC’s Office of Cybersecurity or designee.
   4. Whenever possible, devices will include the ability to remotely wipe stored data in the event the device is lost or stolen.
5. All portable storage devices must be fully encrypted. The following exceptions apply:
   1. When NO UTHSC data or information with a level 3 classification rating will be stored and encryption would interfere with the device’s intended use (e.g. a promotional USB device). Devices used in this way must be clearly marked as not for use with UTHSC data or information with a level 3 classification rating.
   2. Devices used for marketing and public relations, that have no UTHSC data or information with a level 3 classification rating stored on the device, and the intended recipient is not a member of the UTHSC Community.
6. Personally owned devices must adhere to CS-002-Personally Owned Device Security.
7. Exceptions to this Practice should be requested using the process outlined in GP- 001.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls.
   1. If an exception is allowed and personal devices, encryption of these devices must be adhered to according to SC-005-Encryption.

References

1. AC-002.02-Password Management and Complexity
2. CS-002-Personally Owned Device Security
3. GP-001-UTHSC Information Security Program
4. GP-001.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls
5. GP-002-Data & System Classification
6. GP-005-Data Security
7. SC-005-Encryption