Skip to main contentSkip to main navigationSkip to footer content

Data Encryption Policy

Policy Purpose

This policy defines the encryption of highly sensitive data in various forms and formats on campus.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith to encrypt all highly sensitive data wherever the data is located if possible.

Applicability

This policy applies to all University employees, students, and vendors that have access to highly sensitive data.

Definitions

Highly Sensitive Data - Information that if disclosed to unauthorized persons, would be a violation of federal or state laws, university policy, or university contracts. VPN – virtual private network.

Policy Procedure

1. Backups – All data being backed up needs to be encrypted for transmission across the network.
2. Emails – Transmitting emails with highly sensitive information need to be encrypted with encryption software.
3. File transfers – File transfers with sensitive data need to be encrypted across the network using a secure protocol such as SFTP.
4. Network Device Access - Remote access logins to network devices need to be encrypted with a secure protocol such as SSH (Secure Shell).
5. Passwords – Passwords should always be encrypted when transmitted across the network using secure protocols such as Microsoft Active Directory Kerberos, and SSH.
6. Sensitive data – Highly sensitive data needs to be encrypted across the network when clients access web sites. Web sites and browsers need to use up to date SHA certificates and protocols such as SHA2 (2048 bits) certificates, https with up to date TLS (Transport Layer Security) protocols, along with up to date ciphers.
7. Server Remote Access – Remote access logins to servers on the network needs to be encrypted with secure protocols such as SSH for Linux/AIX and RDP (Remote Desktop Protocol) with high TLS encryption for Windows.
8. VPN – Accessing the campus network from off campus via the VPN (Virtual Private Network) needs to be encrypted using secure protocols such as SHA2 certificates, up to date TLS protocols, and up to date ciphers on its VPN access.
9. All Microsoft cloud data (Outlook email, Teams, One Drive, SharePoint, etc) is encrypted at rest.
10. Banner data is encrypted at rest in the Oracle cloud.11. Workday data is encrypted at rest in the Workday cloud.
12. Note: All highly sensitive cloud data should be encrypted at rest by the 3rd party vendors, or by IT before sending the data to the cloud for storage.
13. Note: All backups of highly sensitive data are to be encrypted at rest or secured with a username and strong password if encryption at rest is not an option.
14. Note: Encrypting highly sensitive data at rest on local servers hosted in secured campus data centers is to be based on a Risk Analysis by the IT department.
15. Note: Encryption of data at rest can be easily bypassed by obtaining credentials with high enough privileges (through stealth) to obtain the data.
16. Laptops, tablets, iPads, etc – Highly sensitive data should normally not be stored on laptops, tablets, iPads, or other mobile computers, because they have the potential to be lost or stolen. If there is a valid reason to store sensitive data on these devices, then the device needs to be encrypted at rest. Windows devices can be encrypted using Windows Bitlocker, and Apple Macs can be encrypted using Apple FileVault encryption. Contact the IT Service Desk for help with encryption on portable computing devices.
17. USB devices, portable external drives, and other removable media – Highly sensitive data should normally not be installed on a portable external drive, backup devices such as a USB stick or any other type of removable media, as they have the potential to be lost or stolen. If there is a valid reason to store highly sensitive data, then the data needs to be encrypted at rest. Removable media on Windows devices can be encrypted using Windows Bitlocker, and Apple Macs can be encrypted using Apple File Vault encryption. See the following document to encrypt your removable media (USB sticks, etc) on Windows or Mac.
18. Repair of drives - Any data drives sent outside the University for repair, that contain sensitive data must be either encrypted at rest (if possible), or the data removed (if possible).

Enforcement

Violators may be subject to disciplinary action. See the Student Handbook and Code of Conduct. Click on the following link: https://catalog.uafs.edu/content.php?catoid=3&navoid=28#student-coderights-and-responsibilities-in-misconduct-proceeding and the Faculty and Staff Handbook. Click on the following link: https://catalog.uafs.edu/content.php?catoid=3&navoid=46

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on X/X/202X

Last Updated

This policy was last updated by Terry Meadows on 10/1/2025 for accessibility compliance.