This page describes the requirements and best practices in place within SOM to protect data. While most security policies and standards are applied to systems, the ultimate goal of these is to protect data within the environment. This may be student data, research data, demographic and administrative data, and so much more. There are certain legal requirements and ethical concerns that must be considered when looking at options for protecting this data. In general, SOMTech leads toward protecting managed devices and data as if it is category 1 data. The goal of this page is to describe how SOMTech protects the data and to help SOM faculty, staff, and students protect data they are using while still being productive.
If you are interested in meeting with SOMTech to discuss ways that you can effectively work while still following VCU, VCU Health, and SOMTech security and privacy standards (among others), please submit a ticket requesting a meeting.
One of the easiest ways to verifiably protect data is for it to be encrypted. VCU has an encryption standard which outlines when and how data should be encrypted. While this is not exhaustive (please read the standard), the primary times that data must be encrypted is as follows:
- Laptops (all laptops must be encrypted with a managed encryption solution)
- Category 1 data not stored on centrally secured and approved storage (e.g. VCU Health OneDrive, SOM T:\ and U:\ drives, and VCU Health H:\ and S:\ drives)
- Category 1 and 2 data transferred over untrusted networks
- Category 1 data being emailed and transferred over any network
External Media Encryption
SOMTech and VCU Health provided hardware-encrypted IronKey devices for many years. These devices required a password every time they were used, but worked on both VCU and VCU Health computers. They were also able to be used on any computer without administrative rights. If the password was forgotten, SOMTech could reset the password administratively (on SOMTech-managed drives). VCU Health used unmanaged IronKey drives which meant that they weren't able to help with forgotten passwords. They stopped providing IronKey drives in 2019.
IronKey Drives Phase-out Plan
In order to protect any data on IronKey drives, we are strongly encouraging that everyone who has an IronKey drive to please follow these steps:
- Copy all data off of your IronKey drive
- If you have forgotten how to use your IronKey drive or have forgotten your password, please submit a ticket to SOMTech. Do not attempt to login more than a few times as the drive will self-destruct after 10 incorrect attempts.
- Physically send your IronKey to SOMTech so that they can be removed rom the environment. Please do not include the password.
- Campus mail: Send to SOMTech, Box 980565
- Drop off: Drop off in the bin outside of the SOMTech Client Services office in Sanger Hall, B1-039 (near the rest rooms)