Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Encryption Policy

Scope

This policy covers all computers, electronic devices, and media capable of storing electronic data that house Loyola Protected data or Loyola Sensitive data as defined by the Data Classification Policy. This policy also covers the circumstances under which encryption must be used when data is being transferred.

Purpose

The purpose of this policy is to establish the types of devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software used for encryption. 

Policy

Devices and Media Requiring Encryption

All ITS managed databases that contain Loyola Protected Data must encrypt the Data at rest.  All databases, application servers and file systems that contain Loyola Protected Data must leverage appropriate access control, per the Access Control Policy, to ensure that access to the Data is limited to those whose job functions require access.

Encryption is required for all laptops, workstations, and portable drives that may be used to store or access Loyola data. Departments who have a laptop, workstation, or portable drive that needs to be encrypted should contact the ITS Help Desk.

Electronic Data Transfers

Any transfer of unencrypted  Loyola Protected data or Loyola Sensitive data must take place via an encrypted method.  Encrypted Loyola Protected data or Loyola Sensitive data may be transmitted via encrypted or unencrypted methods.  All email communications that involve email addresses outside of Loyola use an unencrypted method, and therefore require that messages containing Loyola Protected data or Loyola Sensitive data be encrypted. Approved methods of encrypting electronic data transfers are listed in the appendix. If the encryption method includes a password, that password must be transferred through an alternative method, such as calling the individual and leaving the password on their voice mail. Email messages containing encrypted data may never include the password via email.   Individuals who are unsure if they are correctly encrypting electronic data transfers should contact the ITS Information Security team at DataSecurity@luc.edu.

Physical Transfer of Electronic Data

The physical transfer of Loyola Protected Data via a medium such as a CD, DVD, USB drive or other portable medium, either entirely within Loyola or between Loyola and a 3rd party, is not allowed.   If there is a business need to perform a physical transfer of Loyola Protected Data, a request for an exception to the policy must be granted.  Contact the Information Security team at DataSecurity@luc.edu.

Physical transfers of Loyola Sensitive Data must be encrypted.  Archiving Loyola Sensitive data to a physical medium is not recommended, but is permitted if the data is encrypted. All archiving should be done electronically, so that it is stored in a controlled data center and backed up by ITS.

Software

ITS will install software that is capable of encrypting the entire hard drive on all ITS supported Loyola computers and electronic devices subject to this Policy.  ITS will install encryption software on non-ITS-supported computers and devices if the software is compatible.  If the computer or device is not compatible with the approved ITS encryption software and an acceptable alternative cannot be found, then Loyola Sensitive and Loyola Protected data may not be stored on the device.  Users who require encryption software should contact ITS to arrange installation of encryption software.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Appendix

Examples of portable drives:  

Please  contact the UISO at DataSecurity@luc.edu for assistance with file or drive encryption. USB flash drives/thumb drives/memory sticks can be purchased with encryption built-in. Please visit http://www.luc.edu/its/purchases.shtml to view recommended products.

Approved Encryption Methods for Electronic Data Transfers

Approved Methods for Encrypting Email

The approved method of encrypting email is outlined at http://www.luc.edu/its/encrypt_email.shtml. If you have any questions about the process, please contact the Information Security team at DataSecurity@luc.edu.

Other policies referenced by this Policy

Updates and History

May 25, 2011: Initial Policy
October 29,2012: Annual PCI Review
July 12, 2013: Annual Review for PCI Compliance
Author: Information Security Advisory Council (ISAC)
Version: 2.0
 
 
PDF FILE DOWNLOAD

 

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy