By Shandon Bates, Director of Systems and Operations

As a university, WCU has the need to handle sensitive data frequently, from student records to health care information to financial data. Over time, the amount of sensitive data that we are required to store has grown. So, too, have the regulatory requirements around protecting that data as state and federal requirements for data protection standards and data loss reporting become more and more stringent. HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), PII (Personally Identifiable Information), PCI (Payment Card Industry) and SOX (Sarbanes–Oxley Act) are but a few of the acronyms that we must decipher in the interest of keeping WCU data storage and retention in compliance. In order to protect the confidentiality and integrity of the university’s sensitive data we have implemented several tools, including firewalls, a password complexity requirement, data backup standards, malware filtering, and a few network specific configuration items.

While we have been successful in protecting the confidentiality and integrity of the university’s sensitive data, we have not been able to address the sharing of encrypted data between departmental users. In February 2009, an IT team was assembled with the intent of creating a data encryption standard for the university. Vendors and products were tested within a range of criteria that included cross-platform functionality, ease of use, product feature set and, of course, price. The focus was on providing a product that provided the ability to encrypt local data on local laptop hard drives, but could be extended to handle other needs. A final product was chosen, but due to budget constraints the project was shelved.

At the end of the last fiscal year we were able to proceed with purchasing software and licenses to begin piloting an encryption solution. Utilizing the research done by the team in 2009, and recognizing that we needed to address encrypting shared files, we purchased management software that allows us to allocate and track licenses and insure that keys can be recovered in order to mitigate the possibility of losing data. An additional package that we purchased allows us to securely share files containing sensitive information. We are in the process of testing the solution with the physical therapy department, who utilize an industry-standard database application to admit students to their graduate program. Once the issues surrounding deployment, user training and data access are resolved and a process is in place, we will be able to offer the service to other campus entities.

For more information on data encryption at WCU, contact Shandon Bates at