Policy Statement
All users of desktops, laptops, tablets, and mobile devices (whether Information Technologies & Services [ITS] tagged or untagged) must take care to protect confidential data. All devices tagged by ITS and used for Business purposes must be encrypted using an ITS-managed encryption solution unless otherwise exempted as defined in this policy. Users shall take care when accessing, storing, or transmitting confidential data on untagged devices, as described in this policy. All untagged removable storage drives, such as external hard drives or USB flash drives, must be encrypted if containing confidential data.
Reason for Policy
Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption can exempt Business from reporting requirements in the event of a theft or loss under the Information Security Breach and Notification Act, and it meets many of the security standards defined under the Privacy Act 1988.
Who Should Read this Policy
All individuals accessing, storing, sending, receiving, or transmitting any Business data.
1. Encryption of Supported Devices
Encryption shall be provided, at no additional charge, for any tagged device used by Business or, in select cases, affiliates that is not otherwise exempted from this rule.
Business and affiliates with encrypted devices who are terminating their relationship with the Business must inform ITS or their department head prior to termination so that the encryption software and confidential data can be safely removed.
2. Encryption of Unsupported Devices
Users are responsible for safeguarding high risk data on untagged devices, such as those that are individually or personally owned but used for Business purposes. In situations where an individual needs to access Business high risk data from an untagged device, secure channels shall be used.
Examples of known secure channels (where available) are ITS supported remote access connections, VPN Connections, Wi-Fi networks secured with a password (not in public cafés or hotels), Teamviewer or webmail. Users shall take caution to not download or save sensitive attachments or files on untagged devices. In extenuating circumstances where high risk data must be stored on untagged devices, the devices should be encrypted to ensure the confidentiality of the data. Users of untagged and unencrypted devices are responsible for safeguarding and securing Business high risk data.
ITS is available to assist and provide “best effort” support to encrypt untagged devices. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
3. Variances to this Policy
All desktops, laptops, tablets, and mobile devices, whether individually owned or distributed by ITS and accessing, storing, sending, or receiving high risk data, must be encrypted. Variances shall be considered in relatively unusual circumstances only when the following conditions are met:
- The device is demonstrated not to contain protected data at least annually and users attest that it will never be used for protected data;
- The device does not meet the minimum hardware requirements to support encryption or is known to be incompatible with a Business application;
- No practical encrypted alternative is available; and,
- A completed Request for Device Encryption Exemption form is submitted to ITS Support with approval from the Business Owner.
There is significant risk in not encrypting devices used to access Business data and a breach may result in regulatory sanctions, impact to business reputation and in some cases fines for the business and the individual responsible for the data.
Any devices with an approved variance to this policy that change possession or are repurposed must be encrypted or filed under a new variance request.
4. Device Decommission and Decryption
Users leaving Business must notify ITS in advance of leaving so any managed encryption software and high risk data can be safely removed.
5. Additional Resources
- Asset Disposal Form
- Request for Device Encryption Exemption
6. Related Policies
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article