Skip to main content

Full Disk Encryption Policy

Version 1.0

Purpose

This policy establishes requirements for the use of disk encryption technologies on the University’s IT Resources to protect the confidentiality of information1.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the Fordham IT staff (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • Laptops, desktops, and servers are required to employ full disk encryption regardless of their intended use or the data stored on them.
  • Users may obtain the encryption software from the University Information Security Office (UISO) or use other UISO approved encryption software.
  • Users must not attempt to disable, remove, or otherwise tamper with the encryption software.
  • Since, some countries have encryption import and use restrictions, check with the U.S. Department of State before traveling with encrypted IT Resources internationally to ensure that you have the most up-to-date information or consult with the UISO if you have questions.

1Recommendations of the National Institute of Standards and Technology

2Several countries negotiated rules to facilitate traveling with encryption software known as the Wassenaar Arrangement. One provision allows a traveler to freely enter a participating country with an encrypted device under a personal use exemption as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting.

Definitions

Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key.

Full disk encryption (FDE), also known as whole disk encryption, is the process of encrypting all the data on the hard drive(s) on a computer, including the computer’s OS, and permitting access to the data only after successful authentication to the FDE product.

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Related Policies and Procedures

Implementation Information

Review Frequency Annual
Responsible Person Director, IT Security
Approved By CISO
Approval Date August 30, 2018

Revision History

Version Date Description
1.0 08/30/2018 08/30/2018

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by the University Information Security Office (UISO) may only be done cooperatively between the UISO and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Willful failure to adhere to UISO written policies may be met with University sanctions.