Disk Encryption Policy
Version 2.2
For Students, Faculty, Staff, Guests, Alumni
Purpose
This policy establishes requirements for using disk encryption technologies on the University’s IT Resources to protect the confidentiality of information.
Scope
This IT policy, and all policies referenced herein, shall apply to all members of the Fordham IT staff (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- IT Resources, such as laptops, desktops, and servers, are required to employ Full Disk Encryption. In addition, all databases and backups must be encrypted.
- You are required to employ encryption for all Fordham Sensitive and Fordham Protected data regardless of the medium (e.g., USB storage device, external hard drive, cloud storage).
- Users may obtain encryption software from Information Security and Assurance (ISA) or use other ISA-approved encryption software.
- Users must not attempt to disable, remove, or otherwise tamper with the encryption software.
- When traveling, some countries have encryption import and use restrictions. Check with the U.S. Department of State before traveling with encrypted IT Resources internationally to ensure that you have the most up-to-date information, or consult with the ISA if you have questions.
- Many nations do not recognize a personal use exemption1.
- Before traveling to these countries with an encrypted laptop, you may need to apply to their specified governmental agency for an import license.
- Additional information about international encryption controls and personal use exemption can be found at the following websites:
- The Wassenaar Arrangement
- Bureau of Industry and Security, U.S. Department of Commerce - Export Administration Regulations.
1Several countries negotiated rules to facilitate traveling with encryption software known as the Wassenaar Arrangement. One provision allows a traveler to freely enter a participating country with an encrypted device under a personal use exemption as long as the traveler does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting.
Definitions
Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key.
Full Disk Encryption (FDE), also known as whole disk encryption, is the process of encrypting all the data on the hard drive(s) on a computer, including the computer’s OS, and permitting access to the data only after successful authentication to the FDE product.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Backup Policy
- Data Classification and Protection Policy
- Data Classification Guidelines
- Technology Recommendations for Traveling
| Review Frequency | Biennial |
|---|---|
| Responsible Person | Senior Director of IT Security and Assurance |
| Approved By | CISO |
| Approval Date | August 30, 2018 |
| Version | Date | Description |
|---|---|---|
| 1.0 | 08/30/2018 | Initial document |
| 2.0 | 01/16/2020 | Updated policy statement |
| 2.1 | 02/11/2021 | Updated policy statement |
| 2.2 | 02/21/2023 | Updated policy statement |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.