During the summer of 2012, the Board of Regents of the University of Texas System established a mandate for the encryption of all laptops in the System after a serious data breach at one of the institutions. In the spring of 2013 the Board finalized the requirements for encryption of desktops across the System as well. Information Security worked with the departments at all schools to meet the May 2014 deadline for desktop encryption, and one of the most important steps the departments had to take was determining which systems would be encrypted, which would be exempted, and which would be retired.
Laptop and desktop encryption is designed to protect the university and its customers in the event a device is lost or stolen. If a department determines a device cannot or must not be encrypted, steps must be taken to ensure that device does not represent a threat to the university, and an encryption exemption must be requested. Desktop and laptop encryption exemptions must be approved by the Chief Information Security Officer (CISO). Exemptions are granted based on a justifiable, verifiable business case, including appropriate documentation. Any exemptions that are granted will be for a maximum of one year, must be reviewed for changing circumstances and must be renewed. Additionally, exemptions are considered on a per-device basis, with one request per device; bulk exemption requests will not be considered.
The overall encryption exemption process is as follows:
- Requester gathers and provides documentation justifying the exemption (see list below)
- Requester submits request for exemption using the online exemption request form.
- The Chief Information Security Officer (CISO) makes the decision
- The CISO communicates the decision
- Denial – notify the requester with an explanation for denial
- Approval – notify requester, assign expiration date
Supporting documentation for the exemption request includes, but isn’t limited to:
- Individual identifier for the device
- Owning department, along with responsible personnel (dean/director/chair, requester, etc.)
- How the device is currently being used
- The reason(s) the device cannot be encrypted or retired
- A business case based on the above reasons
- Any compensating controls put in place to reduce the risk of loss of the device and its data
- Any supplemental documentation supporting the request
- Manufacturer’s documentation
- Regulatory requirements
- Peer-supplied/reviewed examples of similar situations
Use of the following compensating controls are already approved for both laptops and desktops, but an exemption request form still must be submitted.
- Deep Freeze
- Kiosks with no local data storage
- Network bootable or thin client systems with no local data storage
- Virtual desktop on secured hypervisor server that does not allow the transfer or copy of the virtual image
Note: If you are not able to access the online form, download the form to your computer by right-clicking on this link: Exemption Request Form
- Internet Explorer – “Save Target As …”
- Firefox – “Save Link As …”
- Chrome – “Save link as …”
1. Download the form to your computer (requires Microsoft Excel 2007 or later)
2. Read tab “1-Instructions Page”
3. Fill out tab “2-General Form”
4. Fill out tab “Encryption”
5. Begin collecting the necessary signatures
For more information regarding desktop/laptop encryption and the exemption process, please contact Information Security at grc@uthscsa.edu, or the Information Security Hotline at 210-567-0707.