Device Encryption Procedure

Table of Contents:

Introduction

This procedure outlines the requirements for encrypting data on all University of Waterloo-owned devices. This measure is essential to protect sensitive information and maintain the integrity and confidentiality of University data.

Scope

This procedure applies exclusively to University-owned devices, including but not limited to workstations (laptops and desktops), servers, phones, mobile devices, and fixed data drives.  It does not extend to personally-owned devices used by employees for accessing University data. However, all individuals are responsible for the security of information to which they have access, regardless of the ownership of the device being used to access it.

Roles and Responsibilities

Employees

  • Protection of Information: Regardless of device ownership, all employees are responsible for the security of University information to which they have access and should follow best practices for data security on their devices.

  • Awareness and Compliance:  Employees should be aware of this procedure and comply with it.  If an employee desires an exception to this procedure, they are to contact Information Security Services.

Employees who do not use workstations managed by IST or Faculty IT teams are responsible for the encryption implementation and compliance assurance of their devices.

Information Security Services team (ISS)

  • Monitoring Compliance: ISS will perform regular monitoring of compliance for IST-managed devices.

  • Exception Handling: ISS will receive, manage, and document exceptions for IST-managed devices.

  • Support and Guidance: ISS will assist with risk assessment and security control recommendations for all University-owned devices.

IST Workstations team

  • Implementation: The Workstations team will support the encryption of IST-managed workstations and fixed data drives.

  • Compliance Assurance: The Workstations team will ensure compliance with this policy on IST-managed devices.

Faculty IT teams

Faculty IT teams who do not leverage services of the IST Workstations team are responsible for the encryption implementation and compliance assurance of workstations they manage. 

Procedure Details

Data Encryption Requirements

  • Encryption at Rest: All University-owned devices must have data encryption enabled to secure data at rest.  Full-disk encryption should be used.

  • Types of Data: This procedure covers all non-public data stored on University-owned devices, including data classified as “confidential”, “restricted” or “highly restricted” under Policy 46.

  • Encryption Standards: Devices must use industry-standard encryption methods such as, AES.  The preferred standard of the University is XTS AES-256-bit full-disk encryption. 

Exception Handling

  • Requests for Exceptions for IST-Managed Devices: Requests for exceptions to this encryption requirement for IST-managed devices must be submitted to ISS via the IST Service Portal.

  • Request for Exceptions for Other Devices: While non-IST-managed devices should generally follow this procedure, ISS will not manage a list of exceptions or monitor compliance for these devices.  Nonetheless, use cases where full-disk encryption is not enabled should still be discussed with ISS, to help determine the risk involved and what other security controls can be put in place.

  • Approval Process: Exceptions will be evaluated and potentially granted by ISS on a case-by-case basis.

  • Documentation: All exceptions must be documented, detailing the reason and the duration for the exception.

Implementation Procedures

  • Encryption of IST-Managed Workstations and Fixed Data Drives: Requests for workstation and fixed data drive encryption should be addressed to the IST Workstations team via the IST Service Portal.  The Workstations team will provide support, determine the best encryption methods, and ensure compliance with University procedures.

  • Encryption of Other Devices: Requests for encryption of all other types of devices should be submitted to the IST Service Portal to be addressed on a case-by-case basis.  

Procedure Enforcement

  • Monitoring Compliance: Compliance with this procedure for IST-managed devices is monitored as outlined in the “Roles and Responsibilities” section.

  • Consequences of Non-Compliance: ISS may isolate from the network devices which are non-compliant. 

Recommended Encryption Methods

The following are recommended encryption methods for various platforms.  For help enabling encryption on your device, personal or University-owned, reach out via the IST Service Portal

Windows devices

BitLocker: BitLocker provides full-disk AES encryption and is integrated into the operating system. 

macOS Devices

FileVault: File Vault offers full-disk AES encryption and is integrated into the operating system. 

iOS Devices

Built-in Encryption: iOS devices have built-in encryption that is automatically enabled when you set a passcode. It is important to ensure that all iOS devices have a passcode set to maintain encryption. 

Android Devices

Built-in Encryption: Most modern Android devices come with encryption enabled by default. For devices where encryption is not enabled, it can typically be turned on in the security settings. It’s important to set a secure lock screen (PIN, pattern, or password) to activate the encryption.

 

Need help?

Contact the IST Service Desk online or 519-888-4567 ext. 44357.

Article feedback

If you’d like to share any feedback about this article, please let us know.