Encryption Requirements & Procedures
Recently, the University approved Procedure 29.01.03.C2.28 - "Classification and Protection of Data; Encryption."
This Procedure iterates Texas state information law and clarifies the responsibilities placed upon all users and custodians to identify and protect the University's confidential information.
For all users, perhaps the most important part of Procedure 28 is the mandate that all users must encrypt confidential information when either 1) the confidential data is stored on any portable device (e.g., tablet, pad, laptop, smartphone), 2) stored on any non-state-owned computer (e.g., your home computer, Dropbox, Google Docs) or, 3) transmitted over the Internet. In other words, if confidential information is not stored on a University server or desktop machine, it must be encrypted.
Furthermore, Procedure 28 states that users have the following additional responsibilities:
1. Identifying confidential and sensitive data in their possession.
2. Minimizing confidential and sensitive data in their possession.
3. Ensuring that only authorized individuals have access to confidential data.
For a summary of the rights and responsibilities of all University network users, click here.
For Custodians of information resources, this Procedure defines the following additional responsibilities:
1. Custodians shall periodically scan their information resources for confidential information, e.g., Identity Finder.
2. Custodians shall properly sanitize storage media before disposal (e.g., by destruction of hard drives).