LAS Information Security and Laptop Encryption

LAS Faculty and Staff:

In May of 2014, I announced that LAS would be actively participating in implementing President Leath’s and Provost Wickert’s six point plan to ensure proper protection and management of digital information.  Iowa State University’s focus on security grew out of a number of data breaches that occurred on our campus and at other research institutions across the country.  The LAS IT staff have been hard at work implementing the original six point plan and considerable progress has been made.

Even so, threats continue to proliferate. In this note, I would like to focus specifically on portable devices such as laptops, tablets, ipads, etc, which can be hacked or stolen. In response to the TIER study and a separate finding from the State Auditor, ISU committed itself to encrypting all university-owned laptops or tablets running Windows, OSX, Linux, or having a valid exception on file by December 31st of this year.

LAS IT is already hard at work getting our laptops encrypted (encryption for other devices will follow sometime in the future).  We are using industry standard technology packaged with the Windows and OSX operating systems LUKS for Linux to encrypt the hard drives of all ISU owned laptops.  This software is non-intrusive and will allow normal use of your computer. Laptops that are too outdated to run the encryption software will be decommissioned. In the rare cases where encryption would affect specific operations of a laptop, LAS IT will work with you on establishing equivalent safety measures but please be aware that such exceptions must be approved by ISU’s Chief Information Officer. A process to request exceptions will be announced soon. Please work with your department chair and/or Associate Dean Arne Hallam if you believe you have a case that requires an exception.

If you have not yet been visited by your LAS IT staff member, please be aware that this task is ongoing. To account for end-of-semester activities and university holidays in late December, I have set a deadline of December 4, 2015, to complete the encryption of all LAS laptops.

As a reminder, here are the steps that we initiated in May 2014:

  • LAS IT personnel will be involved in the purchase of all network attached electronic devices (servers, desktop computers, laptops, tablets, etc) if these purchases involve ISU funds. ISU funds include grants, PI incentive accounts, and professional development funds.
  • LAS IT personnel will implement an ongoing security audit of all computers (including servers, laptops, tablets, etc) purchased with ISU funds. The audits will be performed using identity detection software (e.g., Identity Finder) software which scans for sensitive data including:
    • social security numbers,
    • credit card information,
    • user/password data, and
    • other personal information (e.g., university IDs, dates of birth, etc).
  • LAS IT personnel will work with departmental and research group system administrators to analyze, purge, or securely archive such data, in compliance with ISU data management policies.
  • The IT technician in your department or the LAS IT technician assigned to your area and their backup technician should have administrative access to all computers (including servers, laptops, tablets, etc) purchased with ISU funds. This is the most effective way of ensuring appropriate data management. Department chairs can request exceptions by contacting Associate Dean Arne Hallam; exceptions will only be granted if security audits will be performed on a regular basis in close coordination with ITS and LAS IT personnel. It is essential that you consult with ITS and LAS IT personnel with regards to any systems which store, process, or grant access to protected information.
  • All ISU accounts must have passwords that meet university security standards.
  • Authenticated access and secure transmission of data will be required to access almost all campus services from off-campus computers. Regular audits will be performed.
  • All employees should be familiar with and follow existing ISU policies on information technology security and electronic privacy (see, e.g., IT Security Policy, Electronic Privacy, and Social Security Number Policy).

We are committed to keeping our student, faculty, and staff information – including yours! – protected against any unauthorized intrusions.

Please work with your IT personnel as they continue to enhance information security in the college.

Sincerely,

Beate Schmittmann, Dean