For Critical or Restricted Highly Sensitive Institutional Data Stored on Mobile Devices and External Network Transport:
Federal Information Processing Standards (FIPS) compliant encryption is recommended for critical or restricted highly sensitive data stored on disk and critical or restricted highly sensitive data transported off campus over a network. The Information Security and Policy Office is available to determine if specific encryption software is acceptable.
Either full disk or folder encryption is required for critical or restricted highly sensitive data stored on mobile devices.
Advanced Encryption Standard (AES) with a 128 bit key or longer is suggested for disk encryption. To prevent data loss, a key management system is strongly recommended. Key management systems should provide secure key storage, distribution, revocation, recovery and escrow. Passwords protecting encryption keys must be complex and at least 15 characters long. Encryption software and support recommendations will follow shortly.
Encryption is required for external network transport of critical or restricted highly sensitive data.
External network transport is defined as network communications originating from or destined to a host outside of the University of Iowa managed network or over any public network. External network transport of critical or restricted highly sensitive data must be encrypted from source to destination and authenticated using secure socket layer (SSL), transport layer security (TLS), secure shell (SSH) or internet protocol security (IPSEC), or other industry standard secure communications protocol. Plain text based protocols are specifically prohibited for external network transport of critical or restricted highly sensitive data. Critical or restricted highly sensitive data should not be sent via e-mail. Encrypted transport must be authenticated with a certificate, username and password or pre-shared key. Pre-shared keys should be at least 64 characters long.