...

...

...

...

...

...

...

In order to protect both the privacy of individuals within the university community and the reputation of the university, all employees working with confidential information must take measures to protect information in their care.

Encryption helps to reduce the risk of unintentional information exposure resulting from loss or theft of mobile devices.

Introduction

This procedure outlines the requirements for encrypting data on all University of Waterloo-owned devices. This measure is essential to protect sensitive information and maintain the integrity and confidentiality of University data.

...

This procedure applies exclusively to University-owned devices, including but not limited to workstations (laptops and desktops), servers, phones, mobile devices, and fixed data drives.  It does not extend to personally-owned devices used by employees for accessing University data. However, all individuals are responsible for the security of information to which they have access[MP1] , regardless of the ownership of the device being used to access it.

...

• Protection of Information: Regardless of device ownership, all employees are responsible for the security of University information to which they have access and should follow best practices for data security on their devices.

• Awareness and Compliance:  Employees should be aware of this procedure and comply with it.  If an employee desires an exception to this procedure, they are to contact Information Security Services.

Information Security Services team (ISS)

...

• Encryption at Rest: All University-owned devices must have data encryption enabled to secure data at rest.  Full-disk encryption should be used.

• Types of Data: This procedure covers all non-public data stored on University-owned devices, including data classified as “confidential”, “restricted” or “highly restricted” under [Policy 46](https://uwaterloo.ca/records-management/policy- 46-guide/guidance-information-confidentiality-classification ).

• Encryption Standards: Devices must use industry-standard encryption methods such as, [AES](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf).  The preferred standard of the University is XTS AES-256-bit full-disk encryption. 

...

• Requests for Exceptions for IST-Managed Devices: Requests for exceptions to this encryption requirement for IST-managed devices must be submitted to ISS via the [IST Service Portal](https://uwaterloo.atlassian.net/servicedesk/customer/portal/2 ).

• Request for Exceptions for Other Devices: While non-IST-managed devices should generally follow this procedure, ISS will not manage a list of exceptions or monitor compliance for these devices.  Nonetheless, use cases where full-disk encryption is not enabled should still be discussed with ISS, to help determine the risk involved and what other security controls can be put in place.

• Approval Process: Exceptions will be evaluated and potentially granted by ISS on a case-by-case basis.

• Documentation: All exceptions must be documented, detailing the reason and the duration for the exception.

...

• Encryption of IST-Managed Workstations and Fixed Data Drives: Requests for workstation and fixed data drive encryption should be addressed to the IST Workstations team via the [IST Service Portal](https://uwaterloo.atlassian.net/servicedesk/customer/portal/2 ).  The Workstations team will provide support, determine the best encryption methods, and ensure compliance with University procedures.

• Encryption of Other Devices: Requests for encryption of all other types of devices should be submitted to the [IST Service Portal](https://uwaterloo.atlassian.net/servicedesk/customer/portal/2 ) to be addressed on a case-by-case basis.  

...

The following are recommended encryption methods for various platforms.  For help enabling encryption on your device, personal or University-owned, reach out via the [IST Service Portal](https://uwaterloo.atlassian.net/servicedesk/customer/portal/2 ). 

Windows devices

[BitLocker](BitLocker Windows Laptop or Notebook encryption ): BitLocker provides full-disk AES encryption and is integrated into the operating system. 

macOS Devices

[FileVault](https://support.apple.com/en-ca/guide/mac-help/mh11785/mac ): FileVault : File Vault offers full-disk AES encryption and is integrated into the operating system. 

...

...