13.23 Mobile Device Encryption
Purpose
This policy applies to all university-owned mobile and external storage devices managed by UNI. Faculty, staff, students, trainees, vendors, volunteers, contractors, and other affiliates of UNI with access to university-owned devices are subject to the terms of this policy, as well as the UNI Data Classification Policy.
The Mobile Device Encryption Policy establishes requirements for the appropriate use of disk encryption technologies for mobile devices at the University of Northern Iowa (UNI).
Scope
This policy applies to all university-owned mobile and external storage devices managed by UNI. Faculty, staff, students, trainees, vendors, volunteers, contractors, and other affiliates of UNI with access to university-owned devices are subject to the terms of this policy, as well as the UNI Data Classification Policy.
Definitions
Mobile Device: Device designed to support portable computing, including laptops, tablets, and smartphones.
External Storage Devices: Small, individual use external storage devices that store and transfer files.
Level III Data: Level III data includes all data protected by federal or state law, including, but not limited to FERPA, HIPAA, Gramm-Leach-Bliley Act, and Iowa’s Personal Information Security Breach Protection law (Iowa Code Chapter 715C) or by the Payment Card Industry Data Security Standard (PCI DSS) and other contractual obligations. Please see the UNI Data Classification Policy for more information.
Policy Statements
- Full disk encryption technology is required for all university-owned and managed mobile devices and external storage devices. Full disk encryption is recommended for personally-owned and managed devices.
- Only encryption products and solutions approved by the UNI Information Technology Security Office may be used to satisfy the requirements of this policy.
- Encryption management software, keys, and audit logs for university-owned and managed devices will be maintained centrally by the university.
- Mobile and external storage devices may not be used to store Level III data. Personally-owned devices are prohibited from directly accessing and storing Level III data.
- Using patterns consistent with Level III data structures, university-owned mobile devices will be scanned on a regular basis to validate that Level III data is not stored locally. Please see the UNI Data Classification Policy for more information.
- Access to mobile devices must be (minimally) controlled with a passphrase or PIN. Pattern-based, photo-based, and other unlocking techniques deemed inadequate by the UNI Information Technology Security Office are prohibited.
Roles and Responsibilities
Information Technology Security Office
- The UNI Information Technology Security Office will establish the standards to govern the secure use of mobile technology.
- The UNI Information Technology Security Office is responsible for the selection of appropriate encryption solutions, the maintenance of encryption management software and keys, and the monitoring of audit logs.
- The UNI Information Technology Security Office is responsible for the analysis of and denial or approval of necessary waivers to the requirements of this policy. Granted waivers are to be documented and communicated to the UNI Chief Information Officer.
Chief Information Officer and UNI Administration
- The Chief Information Officer and UNI Administration will provide support and guidance to assist units in complying with these standards.
Information Technology professionals
- UNI Information Technology (IT) professionals will ensure that university-owned and managed mobile devices are inventoried and encrypted.
Faculty, staff, and students
- All members of the UNI constituency are responsible for reporting unencrypted devices to their designated IT support staff to request assistance with policy compliance.
- Without prior approval by the UNI Information Technology Security Office, members of the UNI constituency may not disable, remove, or tamper with encryption software.
- All members of the UNI constituency will report the loss or theft of a mobile computing device to the UNI Police Department and the UNI Information Technology Security Office.
Related University Policies:
14.09 University of Northern Iowa Data Classification Policy:
http://www.uni.edu/policies/1409
Additional Information:
UNI Information Technology Security Office web site: https://it.uni.edu/services/security
Office of Information Technology Services, approved June 2015
[approved by the President and EMT as an interim policy June 2015]
President’s Cabinet, approved November 9, 2015
President and Executive Management Team, approved December 14, 2015