Updated University Encryption Policy

Encryption

March 18, 2021

After significant effort and collaboration with stakeholders, an update to the University’s Encryption Policy has been approved by the CIO.

This policy establishes the requirement for the use of full disk encryption on all University owned computing devices, including desktop computers, laptops, mobile phones and tablets. Other devices used to store confidential or restricted University information, regardless of ownership, are also in scope of this policy. This is consistent with legislative requirements, such as PHIPA and FIPPA, and the University’s need for protection against accidental disclosure or unauthorized access.

Updates to this policy include:

  • Expanded scope to include “All University owned computing devices, including desktop computers, laptops, mobile phones and tablets are in scope of this policy. Other devices used to store confidential or restricted University information, regardless of ownership, are also in scope.”
  • Quick reference guide to encryption
  • Inclusion of encryption requirements for servers, storage arrays, databases, and backups
  • Updated roles and responsibilities
  • Use of common terminology with the Data Storage Guidelines

The encryption practices detailed in the updated policy reflect those that we follow today. The policy also reflects security best practice and the standard that we use when evaluating external service providers, and requires that we hold ourselves to the same standard. While implementing all of these policies on legacy systems may not be feasible immediately, the intention is to use these standards where possible today, and then implement them fully in all new solutions and architectures going forward.

The full policy and quick reference guide can be found here - https://www.uoguelph.ca/ccs/encryption-policy

 

Written by: Stephen Willem (Chief Information Security Officer)