.. vim: syntax=rst
.. include:: ../global.rst
.. _policy-policy_docs-overview:

=================
Encryption Policy
=================

The University has enacted a policy that states that all University-owned laptop
computing devices must be encrypted, regardless of what data is on them. 

Relevant sections from the `Information Resources Use and Security Policy`_:

**UT-IRUSP Standard 11: Safeguarding Data**

  **11.3** Password and Encryption Protection for Computing Devices and Data.

     **11.3.1** Desktop Computers.

        **11.3.1.1** All High Risk Desktop Computers owned, leased, or controlled by the University must be Password protected and encrypted, regardless of data classification, using methods approved by the U. T. Austin Chief Information Security Officer.

        **11.3.1.2** All desktop computers purchased after September 1, 2013 must be Password protected and encrypted, regardless of data classification, using methods approved by the U. T. Austin Chief Information Security Officer before their deployment.

     **11.3.2** Laptop Computers and Other Mobile Devices. 

        **11.3.2.1** All laptop computers and other mobile devices, including but not limited to mobile and smart phones, and tablet computers, that are owned, leased, or controlled by the University, must be encrypted, regardless of data classification, using methods approved by the U. T. Austin Chief Information Security Officer.

        **11.3.2.2** USB thumb drives and similar removable storage devices owned, leased, or controlled by the University must be encrypted, using methods approved by the U. T. Austin Chief Information Security Officer, before storage of any Confidential University Data on the device.

     **11.3.3** Personally Owned Devices. Specific permission must be obtained from the department head before a user may store Confidential University Data on an                   personally owned computers, mobile devices, USB thumb drives, or similar devices. Such permission should be granted only upon demonstration of a business need and an assessment of the risk introduced by the possibility of unauthorized access or loss of the data.  All personally owned computers, mobile devices, USB thumb drives, or similar devices must be Password protected and encrypted using methods approved by the U. T. Austin Chief Information Security Officer if they contain any of the following types of University Data:

        **11.3.3.1** Information made confidential by Federal or State law, regulation, or other legally binding order or agreement;

        **11.3.3.2** Federal, State, University, or privately sponsored Research that requires confidentiality or is deemed sensitive by the funding entity; or

        **11.3.3.3** any other Information that has been deemed by U. T. Austin Institution as essential to the mission or operations of U. T. Austin to the extent that its Integrity and security should be maintained at all times.

     **11.3.4**  `Approved Encryption Methods`_ are published and maintained by the U. T.  Austin Information Security Office.

     **11.3.5** Exceptions must be filed with the Information Security Office in the event of hardware compatibility conflicts, technology limitations for certain types of devices, etc. All exceptions must note why alternative solutions are not possible (newly purchased hardware should be selected to adhere to U. T.  Austin standards prior to purchase) and identify the compensating controls that will be implemented to offset the risk created by the lack of encryption. A single exception may be filed for a number of devices as long as the devices can be uniquely identified (e.g., UT Tag, Serial, MAC address).