Iowa university employees should encrypt all portable devices, auditor says

COUNCIL BLUFFS - State Auditor Mary Mosiman on Thursday told the Board of Regents that its public universities should have policies and systems in place requiring the portable devices of employees be encrypted - a recommendation her office first made nearly three years ago.

Data breaches nationally have become more common and concerning, Mosiman said during the board's monthly meeting.

'And one of the best practices that can take place is to encrypt portable devices,” she said.

Regents President Bruce Rastetter responded to Mosiman's recommendations by saying the board will draft a policy over the next couple months requiring the universities to take action 'as quickly as they can.” The board could have a new policy to consider on the topic at its June meeting, Rastetter said.

Neither University of Iowa nor Iowa State University have policies ensuring the encryption of all portable devices, according to Mosiman. University of Northern Iowa requires devices containing financial and administrative data to be encrypted, but its policies could go further, she said.

Iowa's Office of Auditor of State first recommended all three universities strengthen policies to mandate portable devices be encrypted in 2012.

'Encryption helps protect sensitive information stored on portable devices by rendering data unintelligible to unauthorized users,” according to the 2012 recommendation. 'Portable devices, including laptop computers and USB drives, present a risk to the university until they are encrypted.”

In response to those recommendations, UI officials in the 2012 report said five university laptops had been lost or stolen in the previous seven years - none containing sensitive information.

'The university believes it would be prohibitively expensive, primarily in support resources, to reduce the residual risk,” according to the UI response. 'Staff resources to support the infrastructure necessary for a comprehensive portable device encryption service are not currently available.”

The university did vow to review and strengthen all policies, guidelines, and resources that address portable devices to support its existing requirements that devices storing highly sensitive information be encrypted.

'University policy will be further reinforced to require scanning of all mobile devices for sensitive information on a regular basis,” according to the UI response in 2012.

Iowa State officials in 2012 also responded to the auditor's recommendations by saying a requirement to encrypt all portable devices 'would be prohibitively expensive.” And UNI officials responded by saying staff resources necessary for a comprehensive portable device encryption service 'are not currently available.”

'The capital cost to procure a managed campus solution for tens of thousands of devices would be significant,” according to UNI's 2012 response.

Mosiman told The Gazette on Thursday that she knew her recommendations could take time to implement, which is why she didn't mention anything in her 2013 audits of the universities.

'But we wanted to bring it to the attention of the Board of Regents” this year, she said.