Storage and Encryption Policy

Layout for printing
Policy Number:
UW-516
Old Policy Number:
n/a
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Scope:

Apples to anyone who stores restricted data or sensitive data, as defined in the Data Classification Policy.

Policy:

Policy

  1. UW-Madison employees and contractors must have permission from their supervisor or other appropriate authority in order to store or access restricted data or sensitive data on desktops, laptops or other portable devices or media.
  2. The presence of restricted data and sensitive data on desktops, laptops and other portable devices and media must be limited to the amount necessary for immediate operations.
  3. UW-Madison employees and contractors must encrypt restricted data and sensitive data when it is stored or accessed on desktops, laptops or other portable devices or media, according to the current compliance standards.
  4. UW-Madison employees and contractors must assure that encrypted information is accessible and retrievable as needed for operations and records retention purposes.

The compliance standards describe current requirements and currently available resources and procedures. The compliance standards will change over time as technology and business needs change.

Background

Unauthorized access to restricted data and sensitive data can have significant detrimental effects on individuals or the institution. There have been sizeable information security breaches at higher education institutions that resulted from the loss or theft of laptops or other portable devices and media. Desktop computers and devices also pose a significant risk due to the difficulty of providing adequate and consistent physical and network security. Overall, loss, theft and unauthorized physical or network access account for approximately two thirds of information security breaches.

Experience in higher education has demonstrated that an information security breach can be very costly to the affected individuals and the institution. Anti-virus software, security updates and firewalls cannot fully protect devices and media. The most effective way to reduce risk is to reduce the amount of restricted data and sensitive data that is present. Encryption reduces the risk of unauthorized access to any remaining restricted data or sensitive data.

Authority

Issued by the UW-Madison Vice Provost for Information Technology.

Enforcement

Failure to comply may result in disciplinary action up to and including termination of employment.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

Related UW-Madison Policies:
Related UW-Madison Documents:

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
It Policy Writer and Analyst, Office of CyberSecurity -- Sara Tate-Pederson, itpolicy@cio.wisc.edu, (608) 263-5370
Effective Date:
06-01-2009
Revised Dates:

09/24/2010 01/05/2018

Reviewed Dates:
01/05/2018
Retrieved:
03-02-2021 00:57:05