This page describes the requirements and best practices in place within SOM to protect data. While most security policies and standards are applied to systems, the ultimate goal of these is to protect data within the environment. This may be student data, research data, demographic and administrative data, and so much more. There are certain legal requirements and ethical concerns that must be considered when looking at options for protecting this data. In general, SOMTech leads toward protecting managed devices and data as if it is category 1 data. The goal of this page is to describe how SOMTech protects the data and to help SOM faculty, staff, and students protect data they are using while still being productive.
If you are interested in meeting with SOMTech to discuss ways that you can effectively work while still following VCU, VCU Health, and SOMTech security and privacy standards (among others), please submit a ticket requesting a meeting.
One of the easiest ways to verifiably protect data is for it to be encrypted. VCU has an encryption standard which outlines when and how data should be encrypted. While this is not exhaustive (please read the standard), the primary times that data must be encrypted is as follows:
|Over the years, SOMTech has enforced encryption on flash drives primarily using 2 different solutions (IronKey drives and DDPE). In 2021, these solutions are being phased out. More details are below, but if you have any questions or concerns, please submit a ticket to SOMTech.|
SOMTech and VCU Health provided hardware-encrypted IronKey devices for many years. These devices required a password every time they were used, but worked on both VCU and VCU Health computers. They were also able to be used on any computer without administrative rights. If the password was forgotten, SOMTech could reset the password administratively (on SOMTech-managed drives). VCU Health used unmanaged IronKey drives which meant that they weren't able to help with forgotten passwords. They stopped providing IronKey drives in 2019.
|SOMTech will no longer be supporting the IronKey drives in 2021. Starting in 2021, it is unlikely that SOMTech will be able to help you reset your password if you forget it. This means that your data will be unrecoverable if you forget your password. The drives also have a self-destruct security feature after entering your password incorrectly 10 times.|
|SOMTech and VCU Health recommend that you use the VCU Health instance of Microsoft OneDrive in replacement of the IronKey drives. OneDrive is a secure location where HIPAA data can be stored and accessed from any computer or device connected to the internet. Google Drive is also a reasonable alternative, but functionality is limited and there is not as much integration with email and other Microsoft Office tools.|
In order to protect any data on IronKey drives, we are strongly encouraging that everyone who has an IronKey drive to please follow these steps:
View graphic version