Encryption: PolicyIn July 2007, UT System issued a Security Practice Bulletin #1 (SPB-1) that established encryption as a requirement for storage of Confidential University data on portable computing devices. Since then, this policy has helped to avoid a number of serious data exposures, as laptops were encrypted prior to being lost or stolen. However, there have also been incidents where laptops were lost or stolen, and it could not be determined whether or not the laptop contained confidential data. To address this possibility, Pedro Reyes, Executive Vice Chancellor for Academic Affairs, ad interim, sent a memo to the presidents of all UT System universities, on June 20, 2012 instructing them to encrypt ALL university laptops by August 31, 2012. This memorandum supersedes the previous policy.
Under the 2007 policy, it was possible to request an exemption to avoid the requirement for encryption. Under the 2012 policy, all prior exemptions are revoked. Requests for exemptions may be made on a computer by computer basis and must be thoroughly documented and submitted for review and approval to President David Daniel, the CISO and U. T. System Information Security Compliance to assess risk posed by granting an exemption. Exemptions will be rare, and allowed only under circumstances that pose extremely low risk. To request an exemption, please e-mail email@example.com and include as much information as possible about your situation.
This policy is the first of several that will expand security requirements for desktop computers and mobile devices. Information Security will send out notifications as we have more information. Additional questions can be directed to the Information Security Office: firstname.lastname@example.org