University Owned Desktop Encryption Requirements

  1. High risk desktop computers are to be encrypted by May 31, 2014.
    1. Deans, Chairs, and/or Department Heads, in concert with the institution’s Chief Information Security Officer are responsible for identifying the desktops in their areas that are high risk, based on guidelines included in the next section.
    2. All other desktop computers may remain unencrypted until they are replaced following the respective institution’s guidelines for hardware refresh and replacement, at which time they would be properly disposed. 
       
  2. All new desktop computers purchased on or after September 1, 2013, are to be encrypted before deployment.
    1. For high-performance computing needs, the ISO recommends that Solid-State Drives (SSD) be installed and used with an approved software encryption product (e.g., SecureDoc, BitLocker, FileVault 2). This will yield higher performance than a Self-Encrypting Drive (SED).
    2. Self-Encrypting Drives may be used (just as with laptops) but must be managed via a third party tool, such as SecureDoc, or otherwise have password security enabled such that the user is required to authenticate before the data is decrypted.

Identifying 'High Risk'

What is a "high risk" desktop computer?
In general, there are three circumstances that indicate that a desktop computer is high risk. These are as follows:

  • Based on Location: Desktops in public/high-traffic areas that are used by staff with access to confidential/protected data are considered high risk. Small form factor desktops pose an additional risk.
  • Based on Business Function: Desktops may be high risk based on the activities of the business unit in which they are located. For example, desktops in clinical, hospital, or HR settings are likely high risk because of the type of work performed in these functional areas. The business unit function/area centric approach is the easier to implement because it does not require risk-scoring every desktop in the environment.
  • Based on Role of User: Computers belonging to Executive Officers and their support staff should, by default, be considered high risk as the loss of these computers will likely have an adverse impact on the reputation of the individuals as well as the institution as a whole. 

The criteria outlined above are not all inclusive. Any desktop computer on which data is stored that if accessed by an unauthorized party or that holds data that if subject to unauthorized change or deletion would have highly adverse impact on the University is high risk. 

Who makes the final determination as to whether a desktop computer is to be considered high risk?

The decision is made by management of the functional area where the device is located in consultation with the UT Austin Chief Information Security Officer and based on criteria identified in the answer to question 1 above. If a dispute arises, the Information Owner of the data placed at potential risk will determine the classification of the device, in accordance with Information Owners responsibilities as outlined in TAC 202.71 (1)(A through I). Any resulting information security exception request must be documented and reported through the exception request process.  Policy exceptions may include systems like the following:

  • Desktops that have software controls such as DeepFreeze that are configured not to retain data.
  • Kiosk computers that are designed not to store any data locally (including browser caches).
  • Computers designed with no local storage.
  • Virtual desktops for which the hypervisor is a secure “cloud service” and does not permit transfer of the virtual image. NOTE: If the hypervisor is a desktop computer, then the desktop itself should be encrypted.

Approved Encryption Methods for UT Austin Portable Devices

The Information Security Office (ISO) has approved several methods of complying with policy for encrypting sensitive data.  The preferred method is to use the operating system's native encryption (e.g. Filevault, Bitlocker, LUKS, etc.) combined with a centralized systems management suite (e.g. LANrev, SCCM) to monitor encryption status.

The ISO strongly believes that the following features are important in an encryption solution: 

  1. Industry-standard, well-tested encryption algorithms.
  2. Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
  3. Timely support for new operating system versions and to address security issues.
  4. The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.

End-users, in consultation with their local IT support staff, should choose from one of the approved methods.  The ISO recommends the use of Stache for key escrow when possible.

The list of approved encryption methods are organized by device type:

If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu