- No labels
This page describes the requirements and best practices in place within SOM to protect data. While most security policies and standards are applied to systems, the ultimate goal of these is to protect data within the environment. This may be student data, research data, demographic and administrative data, and so much more. There are certain legal requirements and ethical concerns that must be considered when looking at options for protecting this data. In general, SOMTech leads toward protecting managed devices and data as if it is category 1 data. The goal of this page is to describe how SOMTech protects the data and to help SOM faculty, staff, and students protect data they are using while still being productive.
If you are interested in meeting with SOMTech to discuss ways that you can effectively work while still following VCU, VCU Health, and SOMTech security and privacy standards (among others), please submit a ticket requesting a meeting.
One of the easiest ways to verifiably protect data is for it to be encrypted. VCU has an encryption standard which outlines when and how data should be encrypted. While this is not exhaustive (please read the standard), the primary times that data must be encrypted is as follows:
- Laptops (all laptops must be encrypted with a managed encryption solution)
- Category 1 data not stored on centrally secured and approved storage (e.g. VCU Health OneDrive, SOM T:\ and U:\ drives, and VCU Health H:\ and S:\ drives)
- Category 1 and 2 data transferred over untrusted networks
- Category 1 data being emailed and transferred over any network
External Media Encryption
Over the years, SOMTech has enforced encryption on flash drives primarily using 2 different solutions (IronKey drives and DDPE). In 2021, these solutions are being phased out. More details are below, but if you have any questions or concerns, please submit a ticket to SOMTech.
SOMTech and VCU Health provided hardware-encrypted IronKey devices for many years. These devices required a password every time they were used, but worked on both VCU and VCU Health computers. They were also able to be used on any computer without administrative rights. If the password was forgotten, SOMTech could reset the password administratively (on SOMTech-managed drives). VCU Health used unmanaged IronKey drives which meant that they weren't able to help with forgotten passwords. They stopped providing IronKey drives in 2019.
IronKey Drives Phase-out Plan
SOMTech will no longer be supporting the IronKey drives in 2021. Starting in 2021, it is unlikely that SOMTech will be able to help you reset your password if you forget it. This means that your data will be unrecoverable if you forget your password. The drives also have a self-destruct security feature after entering your password incorrectly 10 times.
SOMTech and VCU Health recommend that you use the VCU Health instance of Microsoft OneDrive in replacement of the IronKey drives. OneDrive is a secure location where HIPAA data can be stored and accessed from any computer or device connected to the internet. Google Drive is also a reasonable alternative, but functionality is limited and there is not as much integration with email and other Microsoft Office tools.
In order to protect any data on IronKey drives, we are strongly encouraging that everyone who has an IronKey drive to please follow these steps:
- Copy all data off of your IronKey drive
- If you have forgotten how to use your IronKey drive or have forgotten your password, please submit a ticket to SOMTech. Do not attempt to login more than a few times as the drive will self-destruct after 10 incorrect attempts.
- Physically send your IronKey to SOMTech so that they can be removed rom the environment. Please do not include the password.
- Campus mail: Send to SOMTech, Box 980565
- Drop off: Drop off in the bin outside of the SOMTech Client Services office in Sanger Hall, B1-039 (near the rest rooms)
DDPE External Media Encryption
Information about the migration away from DDPE External Media Encryption will be coming soon.