Laptop Encryption Deadline Nears
In order for The University of Texas at Austin to meet the terms of the UT System mandatory laptop encryption policy, all University owned laptops or personal laptops containing Category 1 data must be encrypted by December 30, 2011.
The following questions are designed to help faculty and staff understand and comply with this requirement:
- What devices need to be encrypted?
- Why is laptop encryption important?
- What options are available for encrypting my laptop?
- How do I know whether I have Category 1 data on my work or personal computer?
- Will encryption impact the performance of my system?
- What are the consequences if I don't encrypt my laptop and it is lost or stolen?
- Are there exceptions to the policy? What is the exception process?
- What if I need additional help to encrypt my laptop?
The policy states that the following devices must be encrypted:
- All University-owned laptops
- Personal laptops with Category 1 data
The consequences of lost data include identity theft, compromised research data, endangered federal grant status, loss of commercialization properties, erosion of alumni and donor trust, and risk to the reputation and image of the University.
For your protection, encryption is a best practice for any laptop computer you use or own, regardless of whether it contains Category 1 data. Examples of Category 1 data include grades, Social Security numbers, or credit card numbers. An extended list of Category 1 data is also available.
Your IT support staff will help you encrypt your laptop. If you don't have your own support staff, there are additional options.
The Information Security Office has reviewed and approved all of the encryption solutions on this website as compliant with the new encryption policy. These options include:
- WinMagic SecureDoc
- Microsoft Bitlocker
- Apple FileVault 2
- Apple FileVault - Secure virtual memory must also be enabled
- Linux Unified Key Setup (LUKS) Encryption
- TrueCrypt with pre-boot authentication
- Self-Encrypting Drive (SED)
Of these possible solutions, the Information Security Office recommends the centrally managed SecureDoc solution because it provides reporting information which satisfies the policy's verification requirements. The other approved solutions require additional validation to meet this requirement. Please consult with your local IT support staff or call the Information Technology Services (ITS) Help Desk with questions.
There are two references that can help you determine if you have Category 1 data on your work or personally owned laptop:
Once the initial act of encrypting the device is completed, the average user will not notice any performance differences. The encryption software runs in the background, and utilizes approximately 3-5% of the processor to protect your computer. No additional logons are required, and no one else will have access to your data.
NOTE: Faculty requiring extremely high performance from their laptops might consider using a self-encrypting hard drive (SED) instead of using software encryption. Please consult with your local IT support staff or call the ITS Help Desk with questions.
If an unencrypted laptop containing Category 1 data is lost or stolen, the consequences are that:
- The local department will be asked to pay for credit monitoring services for all impacted users
- Disciplinary actions will follow, as needed
NOTE: Verification is automatically addressed if you've elected to use SecureDoc or your department is managing your system with Absolute Manage, the University's comprehensive systems management tool. Both products capture basic information about the system including whether or not the system was encrypted at a given point in time.
If you are using an approved standalone encryption product (e.g., FileVault, BitLocker, TrueCrypt), you are responsible for taking steps that can verify encryption if your laptop is lost or stolen. You must take a screen capture (picture)—including the date and time stamp—indicating that your laptop was successfully encrypted. Because the content of your system changes, this is a best effort approach and should be repeated at frequent intervals. In the event your laptop is lost or stolen, it is unclear whether such an approach will be considered acceptable by State officials. Currently, it is the only reasonable way to capture your compliance efforts for non-centrally managed encryption solutions.
The policy was put in place to protect you, your personal information and professional data, and the resources and standing of the University.
Exceptions are possible. Learn more about Security Exception Reporting process. All exception requests will be reviewed by the Information Security Office.
If you need additional assistance, you may contact either your local IT support staff or the ITS Help Desk at 475-9400 or firstname.lastname@example.org. Questions for the Information Security Office can be directed to email@example.com.