Why am I required to encrypt all data, even when I don't plan on storing any Restricted data?
Computer equipment is lost and stolen every day, and data breaches happen far too often. It is UF's duty to protect the information entrusted to it. Failure to do so could result in significant financial penalties, loss of grants and contracts, damage to our reputation, and harm to people whose data was disclosed. Internal audits have found Restricted data stored in many places it was not intended to be (and where the owners insisted it wouldn't be). To to be sure, we must protect the most vulnerable places data can be stored.
Can I use a different model of encrypted USB drive?
Other models are acceptable, but it must be verified that the drives are truly hardware encrypted. Many drives advertised as 'secure' just implement a password in software, but the data is not actually encrypted and thus is easily accessible even without the password.
We have tested and verified the security of the following models:
Kingston Data Traveler Vault Privacy
Kingston Data Traveler Locker+ G2
Why do I have to encrypt my mobile devices? What are the requirements in the UF policy?
My smartphone or tablet does not support encryption that is compliant with UF’s requirements. What can I do?
The encryption and passcode requirements apply to any device used to store university data. If your device cannot comply, then you need to be certain that you do not use it to access or store university data.
Next time you go to purchase a smartphone or tablet, be sure to choose a model that can meet UF’s requirements. Check the instructions for encrypting the different phone models to help find a compliant phone model.
Portable computers that are not capable of using a supported and UF-standards compliant encryption method may use another form of whole disk encryption. There are very specific requirements that must be followed.
Would emails I send out from my encrypted laptop be encrypted? If so, how would other users read my mail?
Encrypting your laptop’s hard drive or device’s storage only affects the data as stored on the device. This prevents someone who obtains your device without your password from being able to read the files directly from the hard drive. Individual files and emails are not encrypted, rather it is the complete disk. Files copied off the device, or emails that are sent from the device will not be encrypted, and thus need to be protected.
Are there foreign travel concerns when using encryption?
In general, products classified by the government as 'mass market' can be exported to most countries without an export license. Exceptions are to the embargoed/sanctioned countries: Cuba, Iran, Syria, Sudan and North Korea. Whenever traveling with UF assets, the appropriate Asset Management forms must be completed, which will include verification of export eligibility for the encryption software.
Besides encryption software, there are other technologies and information that may have export controls or other travel concerns. Travelers should check with the UF International Center for advise.
If my smartphone is configured to receive UF email, does that automatically set all of the security controls?
When you configure a phone or tablet to receive email via Exchange Active Sync, the email system will attempt to enforce some security controls, such as a passcode lock. However, because phones vary in the features they support, this cannot be counted on to apply all required security controls. Be sure to follow the steps outlined for your specific phone model on the Mobile Device Security website to make sure it is fully encrypted.
What is considered a mobile computing device?
Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:
Laptop, notebook, netbook and similar portable personal computers
Smartphones, tablets and PDAs (Android, Blackberry, iPhone, iPad, and others)
What are the encryption requirements for mobile computing devices?
All mobile computing devices that store University of Florida Data must be fully encrypted, regardless of ownership. For example, smartphones and tablets store University of Florida Data when they are configured to access UF email. This means that personally owned laptops, smartphones and tablets used for university business must be encrypted.
Which mobile devices are required to be inventoried?
Mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must be recorded in the unit’s information assets inventory. Mobile storage devices, including USB flash drives and CD or DVD media, do not need to be inventoried.
What are the exceptions for encrypting portable storage devices?
Specific uses where no Restricted Data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Restricted Data.
This exception is intended only for situations such as SD cards used in digital cameras or bootable USB drives used to install operating systems. This does not include situations in which encryption is inconvenient or adds undesired complexity.
Specific uses in which devices are used for marketing and public relations, no Restricted Data will be stored, and the intended recipient is not a member of the UF Community. Devices used in this way must be clearly marked as not for use with Restricted Data.
This exception is limited to marketing activities such as if prospective students are provided publicly available materials in an electronic form, or when team rosters are submitted to organizers of athletic events.