Encrypt your data: New policy for protecting privacy and intellectual property

Wednesday, September 16, 2009

Free licenses for encryption software

To help departments, schools and colleges complying with the new Policy on Storage and Encryption of Sensitive Information, UW-Madison is offering a limited number of free licenses of McAfee Endpoint Encryption software for Windows-based computers. IT administrators can obtain this software by sending an email to amonette@wisc.edu or pruss@doit.wisc.edu. Faculty and staff should consult with their local IT support staff before encrypting their computers.

The University does not mandate the use of any specific software, but the encryption must be managed and the University must be able to access the data, if needed. Departments, schools and colleges may decide to purchase additional encryption software, and the DoIT Tech Store can provide guidance on University contract options. Contact sales@doit.wisc.edu for more information.

UW-Madison stores and processes thousands of records containing sensitive data. To protect these records from unauthorized access, the University now requires all faculty and staff to encrypt sensitive University data, as detailed in a new policy that went into effect on June 1, 2009.

The new Policy on Storage and Encryption of Sensitive Information (.pdf) is intended to reduce the risk of unauthorized access to sensitive University data. This is particularly important for protecting Social Security numbers, financial account numbers, student data and the intellectual property of research.

Under the new policy, UW faculty and staff must obtain permission from supervisors before storing sensitive information on personal-use computers. In addition, faculty and staff can only store the minimal amount of sensitive information needed, encrypt what data remains, and ensure that these University data records are available, if needed. The date for complying with the new Policy on Storage and Encryption of Sensitive Information has not yet been determined.

Sensitive data — especially any personally identifiable data — must be protected. Laws such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) outline responsibilities for protecting University information. Sensitive data includes restricted data such as Social Security numbers and financial account numbers, passwords, and research data potentially subject to a future patent. A draft definition of what constitutes sensitive data is available on our wiki.

Encryption and other electronic security controls provide a mechanism for protecting confidential information. Should a faculty laptop containing confidential information be lost or stolen, for example, encryption would protect the data from unauthorized access.

Campus departments helped to develop the new policy, and several participated in a pilot test of McAfee Endpoint Encryption software. The pilot included 400 computers in the Division of Enrollment Management offices. Phil Saunders of Enrollment Management praised the pilot: “From my standpoint, the implementation of the McAfee Endpoint Encryption software went very smoothly. The staff were afraid that it would be difficult to use, or worse, make their computer slower. They discovered that they don’t even know it’s there except for an extra password.”

This new IT policy is just one of many on the Web site of the Office of the CIO (www.cio.wisc.edu/policies/) that detail roles and responsibilities of faculty, staff and students in the appropriate use of computing resources and protection of sensitive data. For more information on IT policies, contact Judy Caruso at judy.caruso@cio.wisc.edu. To learn more about encryption, contact Allen Monette at amonette@wisc.edu.