IT Security Standard: Computing Devices - Encryption and Configuration Audits

Encryption - Required

All Devices

  • Level 1 data must be encrypted when stored on devices or media that cannot adhere to the physical placement  requirements or connected to the network outside of a Critical Assets Zone.
  • Level 1 data must be encrypted when transported across the network outside of a Critical Asset Zone.
  • Encryption modules must adhere to Federal Information Processing Standards 140-2 or approved by the Information Security Officer.
  • Encryption key sizes must be sufficiently large to ensure protection from  brute force attacks  when used with the chosen encryption method.
  • Encryption keys must be protected with passwords that follow the university password standard
  • Encryption keys must be changed following the same principles identified in the university password and computer account standards.

Configuration Audits - Required

All Devices with Operating System Configuration Access

  • Documented configuration settings are confirmed prior to deployment of the device and at least annually thereafter reconciling with logged changes to the device.
  • The backup processes are confirmed based on the defined scope and schedule.
  • Recovery tests are implemented as defined for the device.
  • A vulnerability scan is completed and issues identified are remediated prior to deployment of the device and at campus standard intervals.
  • User access is confirmed following campus standards.


Continue to Access, Change Control and Incident Response | Return to Table of Contents

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000


Did you know?

Stay Safe Online Tips