Standard for Encryption Controls
I. PURPOSE
The purpose of this standard is to ensure that efforts to keep university resources secure using encryption controls are conducted in a manner which preserves the confidentiality, integrity, and authenticity of the information.
II. SCOPE
This standard is applicable to university faculty, staff, and other authorized users who access university owned or maintained data.
III. CONTACTS
Direct any general questions about this standard to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.
IV. STANDARD
Encryption can be a very effective security measure that protects data stored on a university computer if the device is lost or stolen. Due to their mobility, laptops present a greater potential for data loss. Therefore, university laptops should be encrypted with the OneIT centrally managed full disk encryption solution.
One of the challenges of encryption is the management of keys or passwords used to unlock the drive. The inability for authorized personnel to access encrypted data can result in the loss of university resources. For this reason, any encryption involving university owned or maintained data or resources needs to use the centrally managed solution.
Some situations involving contractually protected research data or certain operating systems may prohibit the central storage of encryption keys. In these scenarios, an alternate encryption solution, with the encryption keys managed by the area Data Security Officer, may be considered. This solution must be reviewed by the OneIT Security & Compliance Office.
NOTE: Full disk encryption is not a substitute for other protection controls including the proper handling of sensitive or confidential university information as outlined in the Standard for Information Classification and Guideline for Data Handling.
RELATED RESOURCES
- University Policy 311 Information Security
- Standard for Information Classification
- Guideline for Data Handling
- Guideline for Research Data Security
- Guideline for Security of Endpoints
- ISO/IEC 27002
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Revision History
Initially approved by Information Assurance Committee 5/19/17
Updated 1/4/2024