UW-Madison - IT - Storage and Encryption Standard

The Storage and Encryption Standard is the implementation of the Storage and Encryption Policy.

  1. Suggested Implementation Procedure

    1. As soon as possible:

      1. Discover and review what restricted data and sensitive data you have on laptops and other portable devices and media. (Desktops may optionally be included in this phase, otherwise see below for desktops.)

      2. Get as much restricted data and sensitive data off of those devices as possible. This could include deleting extra copies or moving the data to a secure server. Management should decide what restricted data and sensitive data must remain on such devices in order to support immediate operational needs.

      3. Use encryption to protect any remaining restricted data and sensitive data on laptops and other portable devices and media.

    2. As soon as practical: repeat the above steps for desktop devices.

  2. Requirements

    1. Priority:

      1. Compliance for laptops and other portable devices and media is of high priority, (higher than routine operations.)

      2. Compliance for desktop devices is of moderate priority, (similar to routine operations.)

    2. Accessibility and Retrievability of Records:

      A method of key recovery must be used whenever university records are encrypted. Technical and/or procedural key recovery methods must assure that the institution can meet all operational needs and legal obligations requiring access to the records, and at a minimum assure that there are one or more backup copies or alternative keys that are readily available for use in the event the normal key is lost, or it is necessary to access the records without the assistance of the normal keyholder(s).

    3. General Exceptions:

      1. Conflicts with laws, regulations or contracts.

        The restricted data and sensitive data must be protected with compensating controls.

        When there is a conflict that apparently precludes encryption, the data custodians and/or data stewards should seek expert advice as to whether or not encryption may still be used with appropriate safeguards.

      2. Portable read only media that was written prior to the effective date of the policy.

        The media must be protected with compensating controls.

        Unencrypted copies of restricted data and sensitive data on read only media should be destroyed if they are no longer needed, otherwise they should be replaced in the normal course of business.

      3. Devices or media do not support encryption.

        The devices or media must be protected with compensating controls.

        Devices and media that do not support encryption should be replaced in the normal course of business by devices and media that do support encryption.

      4. Operational needs of the unit make encryption impractical.

        The restricted data and sensitive data must be protected by compensating controls.

        The unit should work towards reducing the amount of restricted data and sensitive data that requires encryption, and removing the operational barriers to encrypting the remaining restricted data and sensitive data.

      5. Decisions of the data stewards.

        The restricted data and sensitive data must be protected by compensating controls.

      6. Backups stored in unencrypted form.

        Unencrypted backups containing restricted data and sensitive data must be protected by compensating controls.

      7. The only restricted data or sensitive data present is the custodian’s personal information.

        The custodian could encrypt the information for her or his own protection, but is not required to do so.

  3. Recommendations

    1. Encryption of restricted data and sensitive data on servers:

      Restricted data and sensitive data on servers is not covered by this policy. It is recommended that encryption be employed on servers.

    2. Encryption of transmitted information:

      Transmission of restricted data and sensitive data is not covered under this policy. It is recommended that some form of encryption or secure network connection be used when restricted data and sensitive data is transmitted over unsecured networks.

    3. Non-electronic media:

      Non-electronic media are not covered under this policy. It is recommended that appropriate physical security controls be implemented to protect restricted data and sensitive data on such media.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

References

Storage and Encryption Policy - https://policy.wisc.edu/library/UW-516
Data Classification Policy - https://kb.wisc.edu/itpolicy/cio-data-classification-policy
IT Policy Glossary - https://kb.wisc.edu/itpolicy/glossary


Effective:   Jun 01, 2009
Revised:    Sep 24, 2010 Rev B (Jan 05, 2018)
Reviewed:  Jan, 2018
Review in: two years
Maintained by: Office of the CIO, IT Policy

History at: https://kb.wisc.edu/itpolicy/cio-encryption-history
Reference at: https://kb.wisc.edu/itpolicy/cio-encryption-standar