Responsible Office: Office of Cybersecurity	Last Review: 03/01/2025 Next Review: 03/01/2027
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

To establish encryption requirements for all devices on the University of Tennessee Health Science Center (UTHSC) network. This Standard also covers the circumstances under which encryption must be used when data is being transferred.

This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

Any device, whether UTHSC IT Resources, vendor owned or personally owned by a member of the UTHSC community, i.e. computers, electronic devices, and media capable of storing electronic data that house UTHSC data or information.

Definitions

Encryption – the process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used.

Encryption Key – a password, file, or piece of hardware that is required to encrypt and decrypt information, essentially locking and unlocking the data.

Level 2 Data – The effect on confidentiality and integrity of the Data is significant and includes compliance requirements. This Data is governed by federal, or state compliance requirements and unwarranted exposure can lead to compliance issues and/or fines. This includes all Data that contains personally identifiable information (PII), protected health information, student education records, and card holder Data. This categorization level also includes lower-risk items that, when combined, represent increased risk. per IT0005-HSC-A-Data & System Categorization. Minimum security requirements are explained on the webpage https://uthsc.edu/its/cybersecurity/requirements.php.

Personal Device – any device that is not purchased or owned by UTHSC.

UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University owned or managed information technology services, including cloud-based services, that users have access to.

Responsibilities

Data Owner is ultimately responsible for the data and information being collected and maintained by his or her department or division, usually a member of senior management.  They assign data classification based on the data’s potential impact level and determine if data access is allowed.

Information Technology Services (ITS) is responsible for the deployment of the technical controls to manage devices on the UTHSC network.

Office of Cybersecurity is responsible for establishing security controls and procedures to protect UTHSC intellectual property and data. Classification of data is per IT0005-HSC-A-Data & System Categorization. The security of the data is based on IT0311-HSC-D-Data Security.

Owners of personal devices must abide by this practice and all University standards and practices while using their personal devices on the UTHSC network.

System Owner is responsible for the development, procurement, integration, modification, operation, maintenance, and/or final disposition of an information system.

UTHSC Chancellor/Executive Leadership defines the allowance for the use of personal devices on the UTHSC network.

Standard

1. Encryption algorithms and cyphers in use must meet the standards defined for use in NIST publication FIPS 140-3 or any superseding document, according to the date of implementation. For additional guidance, see NIST SP 800-131A Revision 2 or subsequent revisions.
2. No proprietary encryption algorithms are allowed, unless with documented approval from the UTHSC Office of Cybersecurity.
3. Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.
4. Devices and Media Encryption is required for all laptops, workstations, and portable drives, if available, that are used to store or access UTHSC data regardless of the data classification.
5. Data residing on servers owned and operated by UTHSC ITS and located within the UTHSC Data Center must be protected by at least one of the following:
   • Encryption, or
   • Strict Access Controls that authenticate individuals accessing these data, or
   • Technical controls approved by the UTHSC Office of Cybersecurity
6. ITS provides, installs, configures, and supports encryption. Most devices purchased and imaged by ITS since 2016 have encryption configured. Any support needed for encryption can be handled by the ITS Service Desk or through TechConnect.
7. UTHSC data or information must be protected by encryption during transmission over any wireless network and during transmission over any non-UTHSC network.
8. All email communications that involve email addresses outside of the UTHSC email environment and that contain UTHSC data or information with a level 2 categorization ranking either in the body of the email or as an attachment require that the email be encrypted.
   1. If the encryption method includes a password, that password must be transferred through an alternative method, such as calling the individual and leaving the password on their voicemail.
   2. Email messages containing encrypted data may never include the password in the same message as the encrypted data. Individuals who are unsure if they are correctly encrypting electronic data transfers should contact the ITS Office of Cybersecurity at itsecurity@uthsc.edu.
9. As of January 1, 2016, all portable storage devices and media must be fully encrypted regardless of device ownership. The following exceptions apply:
   1. When NO UTHSC data or information with a level 2 categorization will be stored and encryption would interfere with the device’s intended use (e.g. a promotional USB device). Devices used in this way must be clearly marked as not for use with UTHSC data or information with a level 2 categorization.
   2. Devices and/or media used for marketing and public relations, that have no UTHSC data or information with a level 2 categorization stored on the device, and the intended recipient is not a member of the UTHSC Community.
10. All persistent storage within any and all mobile computing devices used within UTHSC must meet the following encryption standards:
    1. The encryption passphrase will meet or exceed password strength requirements per IT0506-HSC-A.01-Password Management and Complexity. The following exception applies:
       • Small portable computing devices where keyboard entry is cumbersome (e.g., smartphones) may use reduced password strength and complexity if the device is configured to allow no more than 10 failed password entry attempts before preventing use by locking for a significant amount of time or erasing all storage.
    2. The encryption mechanism includes a management component that provides key recovery and proof that the device is encrypted.
    3. The encryption and key management methods used must have the approval of UTHSC Information Security or designee.
    4. Whenever possible, devices will include the ability to remotely wipe stored data in the event the device is lost or stolen.
11. Personally owned devices must adhere to IT0102-HSC-C-Personally Owned Device Security.
12. Exceptions to this Practice should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards and Practices.

Policy History

Version #	Effective Date
1	03/17/2016
4	09/07/2021
5	08/18/2022
6	07/31/2023
7	03/01/2025

References

1. National Institute of Standards and Technology (NIST) publication FIPS 140-3
2. NIST SP 800-131A Revision 2
3. IT0311-Information Technology Data Access, Management, and Recovery
4. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards and Practices
5. IT0005-HSC-A-Data & System Categorization
6. IT0102-HSC-C–Personally Owned Device Security
7. IT0311-HSC-D-Data Security
8. IT0506-HSC-A.01-Password Management and Complexity