Unit Standard
Title
School of Nursing: Encryption Standard
Introduction
Purpose
This standard is intended to explain the requirements and implementation of storage encryption in the the University of North Carolina at Chapel Hill ("University") School of Nursing (SON). This policy aims to ensure that any sensitive data in the SON is protected and stored appropriately. In accordance with FERPA and HIPAA requirements, all computer devices provisioned by the SON should be encrypted, this includes desktops, phones and tablets. Personal devices (BYOD), or devices that do not have the compatible TPM module and therefore cannot be encrypted should not be used to store sensitive data.
Scope
This Standard applies to all members of the SON community including faculty, staff, and students.
Standard
A. University Information Classifications
- Tier 0: Public Information. Public information is information that is approved to publish to anyone.
- Tier 1: Business Information. The public does not have direct access to business information. Business information is mainly for internal use and operating the University.
- Tier 2: Confidential Information. Confidential information can only be disclosed for limited purposes. The University must keep information confidential because of a:
- Law,
- Regulation,
- Contract, or
- Policy.
- Tier 3: Restricted Information. Restricted information can only be disclosed for limited purposes. To prevent improper disclosure this information has safety requirements set by:
- Contract,
- Law, or
- Regulation.
B. BitLocker (Windows)
BitLocker Requirement
All Windows OS devices provisioned by the SON must have BitLocker enabled. BitLocker provides full-disk XTS-AES 128-bit encryption to adequately protect the machine from brute force attacks. BitLocker will be enabled either before or immediately after a user receives their computer.
PIN Requirement
For domain-joined computers, BitLocker must be configured with a PIN, with the following requirements:
- Between 6-22 characters
- Letters, numbers, and special characters.
SON IIT will set a generic PIN and then collaborate with the user to change it to their permanent PIN, provided it meets the complexity requirements.
A user’s BitLocker PIN should not be easily guessed and should only be stored in a secure location. This PIN needs to be entered every time the computer reboots or shuts down, this will prevent access to the Windows login page. Consequently, it will shut the computer down if it is incorrectly used 32 times, which will require a 48-digit recovery key if repeated attempts fail.
Note: A PIN does not need elevation to change, only to set up.
BitLocker Implementation
To enable BitLocker on a new domain-joined computer, these steps may be followed:
- Search Windows for ‘Manage BitLocker’ or locate it in the Control Panel.
- Click on ‘Turn on BitLocker’ and authenticate as administrator.
- Follow the prompts.
- Accept all defaults, and
- Configure a PIN as needed.
- When finished, reboot the computer.
BitLocker Recovery
Any domain-joined computer that completes BitLocker setup will have its recovery key stored in the corresponding object in Active Directory. This key is a 48-digit string of numbers organized into eight sextets and can be entered by accessing BitLocker recovery mode on the target computer. Ideally, this key should be entered in person by an IIT staff member but may also be communicated over the phone. If remote recovery is necessary, SON IIT should take the necessary steps to verify the user's identity according to University guidelines.
BitLocker Compliance
If a device is out of compliance with these policies, that device may no longer be used for any work involving sensitive information, and it must be promptly brought into compliance by SON IIT. This can be done in person or via Zoom. After discovering an active, non-compliant computer, SON IIT must conduct a review of that computer’s stored data, access history, and security status to ensure that there has been no breach or security incident. Examples of non-compliance include, but are not limited to:
- BitLocker being turned off or disabled;
- A PIN being written in plain sight near the computer;
- A PIN being removed; or
- A missing recovery key on the Active Directory computer object.
C. FileVault (MacOS)
FileVault Requirement
All MacOS devices provided by the SON or used for SON-related business must have FileVault enabled. FileVault offers full-disk XTS-AES 128-bit encryption to protect the machine from brute force attacks adequately. FileVault will be activated once a user receives their laptop and completes the JAMF enrollment process to create their profile and associate the computer with a configuration profile. While several factors are involved in implementing and using FileVault, it is essential to note that an ideal setup configures FileVault for all local accounts on the machine, saves the recovery key in a secure location, and registers an institutional FileVault key with the UNC JAMF platform.
FileVault Implementation
To enable FileVault on a SON-issued MacBook, the following steps can be used.
- Log into the computer and go to System Settings (AKA System Preferences.)
- Locate the FileVault section, sometimes located within Security & Privacy.
- Click the padlock on the bottom left if needed, then click ‘Turn on FileVault…’
- Enter an administrator name and password for the computer.
- For each user within the authentication window that comes up, enter the relevant password.
- When prompted, it may be preferable to select ‘Create a recovery key and do not use my iCloud account.’
- This file should be stored in the user’s UNC-based OneDrive, a personal SecNAS drive folder, or stored in a Password Manager such as the University's implementation of LastPass.
- Finish the prompts and proceed with encryption. A reboot following this is preferable.
FileVault Recovery
Due to evolving processes, some FileVault recovery keys will be stored in the nc.jamfcloud.com platform. Others may be attributed to a user’s email or stored in a file. This should be examined on a case-by-case basis as needed. In the case of most MacOS computers, it may be preferable to reimage (erase and reinstall MacOS) the computer rather than go through recovery.
FileVault Compliance
If a device is out of compliance with these policies, that device may no longer be used for any work involving sensitive information, and it must be promptly brought into compliance by SON IIT. This can be done in person or via Zoom. After discovering an active, non-compliant computer, a review must be conducted of that computer’s stored data, access history, and security status to ensure that there has been no breach or security incident. Examples of non-compliance include, but are not limited to:
- BitLocker being turned off or disabled;
- A PIN being written in plain sight near the computer;
- A PIN being removed; or
- A missing recovery key on the Active Directory computer object.
D. Mobile Devices
iOS and iPadOS Devices
Per Apple, iOS devices are automatically configured with Data Protection, which is an Apple-proprietary AES Engine encryption method. For best security, all iOS and iPadOS devices used to conduct business in the School of Nursing should have a passcode, FaceID, or other protection methods that prevent unwanted access to the device. No sensitive data should be stored on these devices; instead, platforms approved for the related level of data should be used to store it.
Android-based Devices
The SON does not support Android devices and will not approve any procurement or provisioning of such devices. Encryption of such devices falls under the user’s discretion and is considered BYOD. Additionally, it is not suitable for storing any sensitive information.
Related Requirements
External Regulations and Consequences
Contact Information
Primary Contact
Name: RJ Libunao, Assistant Dean for Informational and Instructional Technologies
Email: rjlibunao@unc.edu
Other Contacts
Name: Cody Jacobson
Email: cjacobson@unc.edu