In compliance with a directive by The University of Texas System (UTS) Board of Regents, and UTS 165 Information Resources Use and Security Policy, all University of Texas at El Paso (UTEP) owned/leased laptops must be fully encrypted by August 31, 2012. As with most portable devices, laptops are at a high risk of being lost or stolen. The portability of these laptops poses a significant risk to exposure of confidential information stored on them. It is imperative that all employees know that confidential data must not be downloaded to a portable or personally-owned device without the express permission of the data Owner, and that any such data must be encrypted using Institutional ISO approved methods. Encrypting these devices will make it unfeasible for unauthorized retrieval of this information should a device be lost or stolen.
The encryption process will provide full-disk encryption by a government-certified product. What this means is that the contents of the entire hard drive will be made unreadable to unauthorized users.
If you are planning to travel abroad on University business please contact the ISO and complete the following form, Approval to Decrypt Device for Travel Abroad (PDF), if you are considering taking your University-owned device with you. Some countries are not participating states in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies thus requiring certain items to be restricted. Data considered an Information Resource to UTEP or otherwise Confidential, Sensitive, or Controlled in nature shall not be transported out of the United States. If traveling with a laptop or other mobile device to a non-participating Country, the device MUST be decrypted before you travel. Laptops for this purpose may be checked out at the Library-Technology Support Center (restrictions may apply). Countries participating in the Wassenaar Arrangement allow encrypted devices into and out of their countries; however, this changes from day-to-day and a search must be performed to insure that a specific Country is a participant (or not) just prior to traveling. Please note that you will need to seek approval from your Dean, Director, or Chair to remove the device off campus (Authorization to Remove Equipment Off Campus). Additionally, an Export Control Acknowledgement and Certification Form will need to be submitted for approval to the Chief Information Security Officer (CISO) at firstname.lastname@example.org .
The University of Texas System Chief Information Security Council requested that all institutions use their recommended approach to addressing desktop encryption. This approach takes into account risk and the need to spread costs and staff efforts over time. In short, the requirement is that 1) all high-risk desktop computers be identified and encrypted no later than May 31, 2014, and 2) beginning September 1, 2013, ALL newly purchased computers be encrypted prior to deployment. This is a measured approach that will result in all high risk desktop computers being encrypted within a year from May 31, 2014, and lower risk computers being encrypted as existing computers are replaced. All desktops MUST be encrypted.
Project Details- Historical
The project consists of a number of phases; these included, campus awareness, gathering a comprehensive and up-to-date inventory of all portable devices used to conduct university business, training, etc… More information on the project can be found here
The project will consist of a number of phases, some of which will include identification of high-risk desktops, priority and order in which the high-risk computers will be encrypted, training, reporting requirements, etc. More information will be available once the project plan is finalized.
Exceptions for the encryption will be considered only in rare situations. The exception request will be routed for approval to UTEP's Chief Information Security Officer (CISO). For more details on acquiring an exception for a laptop, please click here: Device Encryption Exemption Form
There may be circumstances that prevent the use of encryption of some computers. In such situations an exemption will be considered. Desktop computers that meet the following criteria do not require encryption as they do not retain data: have controls in place such as "Deep Freeze" to enfore data wiping after each use; Kiosk computers designed not to store cata locally; network bootable computers designed with no local hard drives; virtual desktops for which the hypervisor is a secure 'cloud service' and does not permit transfer of the virtual image (if hypervisor itself is a desktop computer, then the desktop itself should be encrypted; and thin clients that have no local storage.Note: The Exemption Process outlined applies also to exemption requests for laptop computers and mobile devices that are University owned or are personally owned but that contain University information that meet requirements for encryption.
- Personally Owned Computer Encryption Notice
- Approval to Decrypt Device for Travel Abroad
- Export Control Acknowledgement and Certification Form
- Authorization to Remove Equipment Off Campus
- Device Encryption Exemption Form