1.0 Objective:
At Lehigh University information is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies, standards, guidelines, and procedures must be implemented to ensure not only the safety and security of those within our community, but also ensure that the confidentiality, integrity, and availability of information and associated services are not compromised, and the academic and business missions of the University can safely and successfully be maintained. To that end, encryption is required for all laptops, workstations, portable drives, and mobile devices that may be used to process, store, or access Critical or Restricted (Class I or II) data.
2.0 Purpose:
The purpose of this policy is to establish the types of devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software used for encryption.
3.0 Audience & Scope:
This policy applies to all users including employees, students, contractors, and all other third parties who access information systems owned or utilized by Lehigh University and are provisioned Lehigh computing accounts and who process Critical or Restricted (Class I or II) data as defined by the Lehigh University Data Classification Policy: (https://lehigh.atlassian.net/wiki/x/2yWXAQ)
4.0 Policy:
Lehigh University strives to maintain the integrity and security of institutional, proprietary, and confidential data entrusted to it. This type of data includes, but is not limited to, student records, financial records (both institutional and personal), and health care related records. Lehigh’s classification of data can be seen at:
https://lehigh.atlassian.net/wiki/x/2yWXAQ.
To maintain the integrity and security of Lehigh’s data, any university desktop or laptop computer, portable drive, or mobile device containing University owned or maintained data covered by any state or federal statute, the disclosure of which exposes the University to possible substantial liability, must be encrypted using full-disk encryption or mobile device encryption technology or software.
Background
Full disk encryption is required for any University desktop or laptop computer, portable drive, or mobile device, containing university owned or maintained data consisting of financial records, health care records, student records, or information which could be utilized for identity theft. Data defined as Critical or Restricted (Class I or II) data as defined by the Lehigh University Data Classification Policy: (https://lehigh.atlassian.net/wiki/x/2yWXAQ) are considered “sensitive data”. These records are covered by the Financial Services Modernization Act of 1999, also known as the Gramm Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA - Public Law 104-191), and the Family Educational Rights and Privacy Act (FERPA – 34 CFR Part 99). Identity theft information is covered by the Federal Trade Commission’s Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003, GDPR, and various data breach laws.
While Pennsylvania state law defines a data breach, the unauthorized access and acquisition of personal computerized data, in relatively narrow terms (i.e., data containing name and Social Security number, name and driver’s license number, or name and credit card number), similar laws within other states and countries have slightly different definitions and attempt to apply themselves to state or country residents living in or out of state or home country. In order to safeguard all non-directory personally identifiable information, the University requires all such University maintained personal data be encrypted.
Implementation of Policy
Currently, full disk encryption software is available for Windows and Macintosh computers on campus. Most operating systems have full disk encryption software available as part of the operating system. Please refer to Whole Disk Encryption for more information.
Mobile devices have solutions available within the device operating system or via device virtualization capabilities that can be provided to users by LTS. Users with Lehigh owned mobile devices should also be familiar with Lehigh’s Travel and Business Expense Policy and Procedures direction for mobile devices: https://financeadmin.lehigh.edu/sites/financeadmin.lehigh.edu/files/offices/controller/docs/Business%20Exp%20Pol%20Final%20Update%20Tax%20Law%20Eff%201-1-18.pdf.
The LTS computing consultant (https://lts.lehigh.edu/about/client-services) assigned to your department should be contacted to discuss the encryption options available based on the computer’s operating system.
5.0 Exceptions:
None
6.0 Enforcement:
Those who do not abide by these policies should expect at least suspension of computer privileges and possible action under standard University rules for misconduct and existing disciplinary, personnel, or judicial processes.
Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
7.0 Definitions:
8.0 Reference Documents:
- https://lehigh.atlassian.net/wiki/x/2yWXAQ
- https://financeadmin.lehigh.edu/sites/financeadmin.lehigh.edu/files/offices/controller/docs/Business%20Exp%20Pol%20Final%20Update%20Tax%20Law%20Eff%201-1-18.pdf
- Whole disk encryption
9.0 Additional Contacts:
Web & Mobile Services, inltswms@lehigh.edu
Responsible University Official: Colin Foley, (acting) CISO
Responsible University Office: Lehigh Library and Technology Services (LTS), 610-758-3072
Effective Date: 11/13/2015
Last Updated/Reviewed: 03/14/2018
Revision Number: 1.0.2