Updated Encryption Policy Approved March 2021
Encryption supports data privacy and integrity by converting electronic information into a format that is readable only by authorized individuals. If Confidential (S3) or Restricted (S4) data is compromised, lost, or stolen, The University is required to publicly disclose this incident to the Information and Privacy Commissioner of Ontario. However, by fully encrypting storage devices, the data is considered secure, even if lost or stolen.
This policy establishes the requirement for the use of full disk encryption on all University owned computing devices, including desktop computers, laptops, mobile phones and tablets. Other devices used to store confidential or restricted University information, regardless of ownership, are also in scope of this policy. This is consistent with legislative requirements, such as PHIPA and FIPPA, and the University’s need for protection against accidental disclosure or unauthorized access.
Significant updates to this policy include:
- Expanded scope to include “All University owned computing devices, including desktop computers, laptops, mobile phones and tablets are in scope of this policy. Other devices used to store confidential or restricted University information, regardless of ownership, are also in scope.”
- Quick reference guide to encryption
- Inclusion of encryption requirements for servers, storage arrays, databases, and backups
- Updated roles and responsibilities
- Use of common terminology with the Data Storage Guidelines
The encryption practices detailed in the updated policy reflect those that we follow today. The policy also reflects security best practice and the standard that we use when evaluating external service providers, and requires that we hold ourselves to the same standard.
For more information, see the full Encryption Policy (PDF) , approved on March 16, 2021.
|University Owned Device Type||Encryption Requirement||Recommended Solution|
|Laptop and Desktop Computers||Full disk encryption of all local hard drives is required regardless of data stored||
Use of the centrally-managed encryption service is strongly recommended.
Where not possible, use of built-in encryption technology offered in Microsoft Windows (BitLocker) and macOS (FileVault) are recommended.
In all cases, current records of encryption status must be maintained and are required in the event of a lost or stolen device.
|Mobile Phones and Tablets||Device-level encryption is required||
Devices used to access or store University data, including email, must be encrypted.
Refer to Information Security guidance on encrypting mobile devices.
|Portable Storage Devices and Media||Software or hardware encryption is required for all portable storage devices and media used to store or transport Confidential (S3) or Restricted (S4) University data.||Refer to the CCS-supported Encrypted USB drive solution.|
|Servers and Storage Arrays||
Encryption is required on servers and storage arrays that access or store Confidential (S3) or Restricted (S4) data.
Full disk encryption is strongly recommended for all other servers and storage arrays.
In the case of virtual servers, encrypting the underlying storage meets this requirement.
|Encryption options will vary based on operating system and platform.|
|Databases||Full database encryption is strongly recommended for all databases, and Databases containing Confidential (S3) or Restricted (S4) information are required to use field-level encryption to protect those data elements.||Database encryption options will vary based on platform. Full database encryption and field-level encryption are acceptable.|
|Backups||Encryption of all data backups is required.||Backup technologies used will vary by platform, however all data backups must be encrypted.|