Storage and Encryption

Layout for printing
Policy Number:
UW-516
Responsible Office:
Division of Information Technology (DoIT)

University Policy

Rationale/​Purpose:

Unauthorized access to restricted data and sensitive data can have significant detrimental effects on individuals or the institution. There have been sizeable information security breaches at higher education institutions that resulted from the loss or theft of laptops or other portable devices and media. Desktop computers and devices also pose a significant risk due to the difficulty of providing adequate and consistent physical and network security. Overall, loss, theft, and unauthorized physical or network access account for approximately two-thirds of information security breaches.

Experience in higher education has demonstrated that an information security breach can be very costly to the affected individuals and the institution. Anti-virus software, security updates and firewalls cannot fully protect devices and media. The most effective way to reduce risk is to reduce the amount of restricted data and sensitive data that is present. Encryption reduces the risk of unauthorized access to any remaining restricted data or sensitive data.

Scope:

Applies to anyone who stores restricted data or sensitive data, as defined in UW-504 Data Classification policy.

Policy:

  1. Policy

    1. UW–Madison employees and contractors must have permission from their supervisor or other appropriate authority to store or access restricted data or sensitive data on desktops, laptops, or other portable devices or media.
    2. The presence of restricted data and sensitive data on desktops, laptops, and other portable devices and media must be limited to the amount necessary for immediate operations.
    3. UW–Madison employees and contractors must encrypt restricted data and sensitive data when it is stored or accessed on desktops, laptops, or other portable devices or media, according to the current compliance standards.
    4. UW–Madison employees and contractors must ensure that encrypted information is accessible and retrievable as needed for operations and records retention purposes.
    5. The compliance standards describe current requirements and currently available resources and procedures. The compliance standards will change over time as technology and business needs change.

  2. Enforcement

    1. Failure to comply may result in disciplinary action up to and including termination of employment.
Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:

Policy Administration

Approval Authority:
Chief Information Officer & Vice Provost for Information Technology
Policy Manager:
Assistant Director, Cybersecurity Program and Business Services
Contact:
IT Policy Writer and Analyst, Office of CyberSecurity; IT Policy Website Link -- Sara Tate-Pederson, itpolicy@cio.wisc.edu, (608) 263-5370
Effective Date:
06-01-2009
Revised Dates:

09-24-2010, 01-05-2018

Reviewed Dates:

01/05/2018

Retrieved:
05-19-2022 12:34:23