FAQ – Mobile Computing and Storage Devices Policy

What data must be encrypted?

All University of Florida restricted data stored on mobile computing and storage devices, regardless of ownership, must be encrypted.

What is Restricted Data?

Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

For additional information, see University of Florida Regulation, UF-1.0103 Policies on Restricted Data.

What is considered a mobile computing device?

Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:

  • Laptop, notebook, netbook and similar portable personal computers
  • Smartphones and PDAs (Android, Blackberry, iPhone, and others)

What is considered a mobile storage device?

Media that can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:

  • Magnetic storage devices (diskettes, tapes, USB hard drives)
  • Optical storage devices (CDs, DVDs, magneto-optical disks)
  • Memory storage devices (SD cards, thumb drives, etc.)
  • Portable devices that make nonvolatile storage available for user files (cameras, MP3 and other music players, audio recorders, smart watches, cell phones)

What devices must be encrypted?

All mobile computing and storage devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts are within scope.

Mobile computing devices purchased after August 17, 2011 must have whole disk encryption enabled. All mobile computing devices purchased prior to August 17, 2011 must have whole disk encryption enabled no later than August 17, 2013.

Mobile computing devices purchased prior to August 17, 2011 that store University of Florida restricted data must encrypt that data in an alternate manner until the August 17, 2013 compliance date.

All mobile storage devices must be enabled with hardware-based encryption. The only exceptions to this are for specific uses where no restricted data will be stored and encryption would interfere with the device’s intended use.

Who is responsible for encrypting mobile computing and storage devices purchased with University of Florida funds?

All University of Florida deans, directors and department chairs, in conjunction with their IT support teams, are responsible for migrating all existing uses of mobile computing and storage devices within their areas of responsibility to devices and services that are compliant with University policies and standards.

Do personally owned mobile computing and storage devices have to be encrypted?

All University of Florida restricted data stored on mobile computing and storage devices, regardless of ownership, must be encrypted.

Who is responsible for encrypting personally owned mobile computing and storage devices?

All members of the University of Florida constituency who are currently using personally owned mobile computing and storage devices that access the University of Florida Intranet and/or store University of Florida restricted data are required to bring their personal device into compliance with University of Florida policies and standards.

What devices are required to be inventoried?

Mobile computing devices purchased with University of Florida funds, including, but not limited to contracts, grants, and gifts, must be recorded in the unit’s information assets inventory. Mobile storage devices, including USB flash drives and CD or DVD media, do not need to be inventoried.