Data Encryption Policy

Policy Purpose

The purpose of this policy is to provide guidance to all Users to appropriately secure any Protected Data from risks including, but not limited to, access, use, disclosure, and removal as well as to adhere to regulatory and compliance requirements.


Scope

This policy applies to all Users who have access to/store/transmit Protected Data on University business.


Definitions

Term Definition
University Refers to Webster University
User Anyone with authorized access to the University business information systems (this includes employees, faculty, students, third party personnel such as temporaries, contractors or consultants and other parties with valid University access accounts)
University Owned Mobile Devices These include, but are not limited to, Personal Digital Assistants (PDAs), notebook computers, Tablet PCs, iPhones, iPads, Palm Pilots, Microsoft Pocket PCs, RIM Blackberry, MP3 players, text pagers, smart phones, compact disks, DVD discs, memory sticks, flash drives, floppy disc and other similar devices
University Owned Non-Mobile Devices These include, but are not limited to, computing devices not capable of moving or being moved readily such as desktop computer
Data Information stored on any electronic media throughout the University
Protected Data Any data governed under Federal or State regulatory or compliance requirement such as HIPAA, FERPA, FISMA, GLBA, PCI/DSS, Red Flag, PII, IP as well as data deemed critical to University business and academic processes which, if compromised, may cause substantial harm and/or financial loss
HIPAA The Health Insurance Portability and Accountability Act with the purpose of protecting the privacy of a patient’s medical records
FERPA The Family Educational Right and Privacy Act with the purpose of protecting the privacy of student education records
FISMA The Federal Information Security Management Act recognized the importance of information security to the economic and national security interests of the United States and as a result, sets forth information security requirements federal agencies and any other parties collaborating with such agencies must follow in an effort to effectively safeguard IT systems and the data they contain
GLBA The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, contains privacy provisions requiring the protection of a consumer’s financial information
PCI/DSS Payment and Credit Card Industry Data Security Standards is guidance developed by the major credit card companies to help organizations that process card payments, prevent credit card fraud, hacking and various other security issues. The University must be PCI compliant or risk losing the ability to process credit card payments
Red Flag A mandate developed by the Federal Trade Commission (FTC) requiring institutions to develop identity theft prevention programs
PII Personally Identifiable Information that can potentially be used to uniquely identify, contact, or locate a single person such as health information, credit card information, social security number, etc.
IP Intellectual Property information is a work or invention the result of creativity, such as a research or a design, to which one has rights and for which one may apply for a patent, copyright, trademark, etc.
Encryption / Password Protection A process of converting Data in such a way eavesdroppers or hackers cannot read the Data but authorized parties can
Screen Lock A password-protected mechanism used to hide Data on a visual display while the device continues to operate
Screen Timeout A mechanism which turns off a device after the device has not been used for a specified time period
Personal Devices Non University Owned devices used by employees, at the employee’s option, to access, store or transmit Protected Data on University business.  This includes personal telephones whether or not the person is receiving a telephone allowance from the University. The University Information Technology Department does not support Personal Devices

 


Policy Statement

User must secure any Protected Data they access, create, possess, store, or transmit and must be in compliance with the following requirements:

  • Protected Data should only be accessed on University Owned Mobile or Non-Mobile devices. The University will provide all individuals with a University Owned Mobile or Non- Mobile device when it is determined such a device is required for the performance of the individual’s position responsibilities. Accordingly, use of Personal Devices is discouraged, however, should an individual use a Personal Device on University business, the same procedures in this Policy for University Owned Devices applies to any Personal Device and all cyber security risks associated with use of Personal Devices are the responsibility of the User.
  • Protected Data must be encrypted or password protected when stored on or transmitted over University-owned mobile or non-mobile devices and e-mail.
  • Protected Data must not be sent through insecure public instant messaging networks including, but not limited to, AOL Instant Messenger, Yahoo Messenger, MSN Messenger, and Google Talk.
  • University-owned mobile or non-mobile devices must be logged off when not in use during non-work hours. Mobile devices shall be kept within the personal possession of the User whenever possible. Whenever a device is left unattended, the device shall be stored in a secure place, preferably out-of-sight.
  • A password protected Screen Timeout/Screen Lock must activate within a maximum of thirty (30) minutes of inactivity.

Basic security protection including, but not limited to, authentication, network configuration, firewall, anti-virus protection and security patches must be installed and actively maintained on an ongoing basis on all University Owned Mobile or Non-Mobile devices.

Before University Owned Mobile or Non-Mobile devices are connected to the University systems, they shall be scanned for viruses and all viruses must be appropriately deleted. Completely and securely remove all Protected Data from all University Owned Mobile or Non-Mobile devices upon replacement, exchange or disposal. Assistance with these processes is available through the University’s Information Technology Department.

The physical security of University Owned Mobile or Non-Mobile devices is the responsibility of the User. If a University Owned Mobile or Non-Mobile device is lost or stolen, User must promptly report the incident to one’s supervisor, Public Safety, and the Information Technology Department. This report should include the serial number if the device has one.


Enforcement

User’s must familiarize themselves with the resources listed below as well as complete offered University training on data security along with periodic updates as such are made available.

Users who do not comply with this policy may temporarily be denied access to University computing resources and may be subject to other penalties and disciplinary action. Depending on the circumstances, federal or state law may permit civil or criminal litigation and / or restitution, fines and / or penalties for actions that violate this policy.

Noncompliant devices, when the University is made aware of same, will be disconnected from the University data network and departmental units until the device is brought into compliance.


Resources

Password Protected: https://support.office.com/en-US/article/Password-protect-documents-workbooks-and-presentations-EF163677-3195-40BA-885A-D50FA2BB6B68

Encryption: http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7

Contact IT Service Desk at support@webster.edu or call 314-968-5995 for support.

Rev. Nov. 2015