RUL - 70.00.12 Rule for Encryption Controls

Information Technology
Responsible Office:
Information Technology Services
Information Technology Services, 919-530-7423, [email protected]
Effective Date: September 02, 2021

1. Purpose

The purpose of this rule is to ensure that efforts to keep university resources secure using encryption controls are conducted in a manner that preserves the confidentiality, integrity, and authenticity of the information.

Encryption should be used in conjunction with other data protection controls, such as access control, strong passwords, authentication, and authorization.

Federal or state regulations or contractual agreements may require additional actions that exceed those included in this rule.

2. Scope

This rule is applicable to university faculty, staff, and other authorized users who access university-owned or university-maintained data.

3. Contacts

Direct any general questions about this rule to your department’s administrative office. If you have specific questions, please contact Information Technology Security at [email protected].

4. Rule

Encryption can be a very effective security measure that protects data stored on a university computer if the device is lost or stolen. Due to their mobility, laptops present a greater potential for data loss. Therefore, university laptops should be encrypted with ITS's centrally managed full disk encryption solution.

One of the challenges of encryption is the management of keys or passwords used to unlock the drive. The inability of authorized personnel to access encrypted data can result in the loss of university resources. For this reason, any encryption involving university owned or maintained data or resources needs to use the centrally managed solution.

Some situations involving contractually protected research data or certain operating systems may prohibit the central storage of encryption keys. In these scenarios, an alternate encryption solution, with the encryption keys managed by the Information Technology Security specialist, may be considered. This solution must be reviewed by the Information Technology Security department.

Note: Full disk encryption is not a substitute for other protection controls including the proper handling of sensitive or confidential university information as outlined in REG – 70.00.2 – Data and Information Regulation.