Because of the magnitude of effort, the University of Virginia has adopted a risk-based, phased approach for implementing this policy. The compliance phases are:
Phase 1: Desktop computers, laptops, tablets, smart phones, other mobile devices, and electronic media
Since the small size and portability of mobile devices and media make them a higher risk for theft, achieving policy compliance for these items takes priority over compliance for desktop computers. In Phase 1 the process of compliance begins on the policy's effective date and quick action on each step outlined below is needed. Individuals are required to:
Find highly sensitive data on each of your mobile devices and media
It is the responsibility of individuals to determine if they have highly sensitive data on any of their individual-use device(s) and media and, if so, to ensure compliance with this policy.
Easy to use University-provided software is available to help individuals locate certain personal information on their computers. Once installed, the software will scan all computer files and list those that appear to include social security numbers, credit card numbers, or medical record numbers. The software presents the user with options for handling the files.
If you find no highly sensitive data on any of your mobile devices or media, you are done with this step and can move on to reviewing your desktop devices.
In addition to periodically running this software, individuals should routinely delete files in a secure manner when they are no longer needed.
If highly sensitive data are found, you must either:
Securely delete any highly sensitive data you find that are not needed for an approved business purpose or official records retention.
Move any highly sensitive data you find to a secure server if the data are needed for an approved business purpose or official records retention.
If assistance is needed accessing server space, please contact your department's IT support personnel or ITS Hosting.
If the highly sensitive data must be kept on your mobile device or media, then...
Get the responsible vice president or dean’s written approval. Complete this Highly Sensitive Data Storage Request form (approvalform.doc) and submit it to your department head/chair. If your department head/chair supports the request, he or she must forward the form to the appropriate vice president or dean for approval.
Both while waiting for approval and after receiving approval, the highly sensitive data must be protected
Encrypt the device or media.
Follow strict security requirements to protect the device or media
Individuals who are denied approval to store highly sensitive data must securely delete the data from their mobile device(s) and/or electronic media.
Phase 2: Desktops
The process for bringing desktop computers into compliance is the same as that for mobile devices and media described above. Compliance for desktop computers may be addressed as part of efforts by schools, departments, divisions, and business units to implement the Protection and Use of Social Security Numbers Policy. These plans must be completed by July 1, 2008 and they must be implemented by July 1, 2009.