Versions Compared

Old Version 6

changes.mady.by.user Farhia Hussein

Saved on

compared with

New Version Current

changes.mady.by.user Palak Chauhan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

In order to protect both the privacy of individuals within the university community and the reputation of the university, all employees working with confidential information must take measures to protect information in their care.

Encryption helps to reduce the risk of unintentional information exposure resulting from loss or theft of mobile devices.

Laptops/notebooks

Table of Contents:

Table of Contents
minLevel1
maxLevel6
outlinefalse
styledefault
typelist
printablefalse

Introduction

This procedure outlines the requirements for encrypting data on all University of Waterloo-owned devices. This measure is essential to protect sensitive information and maintain the integrity and confidentiality of University data.

Scope

This procedure applies exclusively to University-owned devices, including but not limited to workstations (laptops and desktops), servers, phones, mobile devices, and fixed data drives.  It does not extend to personally-owned devices used by employees for accessing University data. However, all individuals are responsible for the security of information to which they have access, regardless of the ownership of the device being used to access it.

Roles and Responsibilities

Employees

  • Protection of Information: Regardless of device ownership, all employees are responsible for the security of University information to which they have access and should follow best practices for data security on their devices.

  • Awareness and Compliance:  Employees should be aware of this procedure and comply with it.  If an employee desires an exception to this procedure, they are to contact Information Security Services.

Info

Employees who do not use workstations managed by IST or Faculty IT teams are responsible for the encryption implementation and compliance assurance of their devices.

Information Security Services team (ISS)

  • Monitoring Compliance: ISS will perform regular monitoring of compliance for IST-managed devices.

  • Exception Handling: ISS will receive, manage, and document exceptions for IST-managed devices.

  • Support and Guidance: ISS will assist with risk assessment and security control recommendations for all University-owned devices.

IST Workstations team

  • Implementation: The Workstations team will support the encryption of IST-managed workstations and fixed data drives.

  • Compliance Assurance: The Workstations team will ensure compliance with this policy on IST-managed devices.

Faculty IT teams

Faculty IT teams who do not leverage services of the IST Workstations team are responsible for the encryption implementation and compliance assurance of workstations they manage. 

Procedure Details

Data Encryption Requirements

  • Encryption at Rest: All University-owned devices must have data encryption enabled to secure data at rest.  Full-disk encryption should be used

...

BlackBerry encryption

Members of the university community that work with confidential data on their BlackBerry devices should enable device encryption, also known as Content Protection, to safeguard information in the event the device is lost or stolen. The specific steps for enabling encryption varies slightly depending on the model. In essence, do the following:

  1. Enable password protection on the device. (a minimum password length of six characters is recommended)

  2. Enable device encryption (may be labelled as Content Protection).

Security features on the BlackBerry device are accessed in the Options -> Security menu or Options -> Security Options menu.

iPad/iPhone/iPod Touch encryption

The operating system for Apple's mobile device portfolio, iOS, offers device encryption at the hardware level referred to as data protection. On supported devices, data protection is enabled when you create a passcode.

Encryption of Android-based devices

...

  • .

  • Types of Data: This procedure covers all non-public data stored on University-owned devices, including data classified as “confidential”, “restricted” or “highly restricted” under Policy 46.

  • Encryption Standards: Devices must use industry-standard encryption methods such as, AES.  The preferred standard of the University is XTS AES-256-bit full-disk encryption. 

Exception Handling

  • Requests for Exceptions for IST-Managed Devices: Requests for exceptions to this encryption requirement for IST-managed devices must be submitted to ISS via the IST Service Portal.

  • Request for Exceptions for Other Devices: While non-IST-managed devices should generally follow this procedure, ISS will not manage a list of exceptions or monitor compliance for these devices.  Nonetheless, use cases where full-disk encryption is not enabled should still be discussed with ISS, to help determine the risk involved and what other security controls can be put in place.

  • Approval Process: Exceptions will be evaluated and potentially granted by ISS on a case-by-case basis.

  • Documentation: All exceptions must be documented, detailing the reason and the duration for the exception.

Implementation Procedures

  • Encryption of IST-Managed Workstations and Fixed Data Drives: Requests for workstation and fixed data drive encryption should be addressed to the IST Workstations team via the IST Service Portal.  The Workstations team will provide support, determine the best encryption methods, and ensure compliance with University procedures.

  • Encryption of Other Devices: Requests for encryption of all other types of devices should be submitted to the IST Service Portal to be addressed on a case-by-case basis.  

Procedure Enforcement

  • Monitoring Compliance: Compliance with this procedure for IST-managed devices is monitored as outlined in the “Roles and Responsibilities” section.

  • Consequences of Non-Compliance: ISS may isolate from the network devices which are non-compliant. 

Recommended Encryption Methods

The following are recommended encryption methods for various platforms.  For help enabling encryption on your device, personal or University-owned, reach out via the IST Service Portal

Windows devices

BitLocker: BitLocker provides full-disk AES encryption and is integrated into the operating system. 

macOS Devices

FileVault: File Vault offers full-disk AES encryption and is integrated into the operating system. 

iOS Devices

Built-in Encryption: iOS devices have built-in encryption that is automatically enabled when you set a passcode. It is important to ensure that all iOS devices have a passcode set to maintain encryption. 

Android Devices

Built-in Encryption: Most modern Android devices come with encryption enabled by default. For devices where encryption is not enabled, it can typically be turned on in the security settings. It’s important to set a secure lock screen (PIN, pattern, or password) to activate the encryption.

 

Filter by label (Content by label)
showLabelsfalse
max5
spacesISTKBsortmodified
showSpacefalse
reversesorttruemodified
typepage
titleRelated Articles
reversetrue
labelsencryption
cqllabel = "encryption" and type = "page" and space = "ISTKB"
labelsencryption
Page Properties
hiddentrue
Related issues
Info

Need help?

Contact the IST Service Deskonline or 519-888-4567 ext. 44357.

Tip

Article feedback

If you’d like to share any feedback about this article, please let us know.