What is device encryption, and what does it do?
Encryption is a technology that protects the contents of your device from unauthorized access by converting it into unreadable code that cannot be deciphered easily. It is a much stronger level of protection than typical security features, such as logging into an operating system with your CWID and password or protecting individual files with passwords. Whole disk encryption is used to protect the entire contents of your device.
Can I opt out of encrypting my laptop?
Encryption is a relatively easy way to safely secure the data on your laptop from theft, misuse and loss. In the event that an exception to encryption is proposed, you must complete the Request for Device Encryption Exemption form and have the request approved by your Department Administrator, the Department Chair, or an equivalent senior manager. All exemption requests will be reviewed by ITS Security. Any exemption denials may be appealed by the requestor and will be brought to and reviewed by the Information Security and Privacy Advisory Committee (ISPAC). Exemptions are granted temporarily and will need to be recertified annually and/or if the purpose of the device or the job responsibilities of the requestor change. If an exempted device is misplaced, lost, or stolen, all associated costs for forensic investigation and legal and regulatory reporting will be charged to your department. Please contact Tom Horton, Chief Information Security Officer, at thh4011@med.cornell.edu with questions on this process.
Do I have to encrypt my device?
All devices tagged by ITS and used for WCMC purposes must be encrypted using an ITS-managed encryption solution unless otherwise exempted as defined in the ITS Device Encryption policy (11.06). This is to help protect you if you store, send, or receive any of the following types of confidential data, such as:
- Social Security Numbers
- Financial information, such as credit card and bank account numbers
- Protected Health Information as defined by HIPAA
- Research information
- Other WCMC-proprietary information
Many people receive and store this information on their devices, even if they do not realize it, which is why we are mandating encryption on all tagged devices across the institution. The full definition of confidential data can be found in the ITS Data Classification Policy (11.03) and the ITS Device Encryption policy (11.06).
How much does it cost to encrypt my laptop?
For any ITS-tagged laptop, encryption is provided at no additional charge. We are available to assist and provide "best effort" support to encrypt untagged devices that meet our hardware requirements. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
What type of encryption software does ITS use?
ITS uses Microsoft's BitLocker Drive Encryption for devices running Windows 7 or above and Apple's FileVault 2 for devices running Macintosh OS X 10.7 Lion or above. Both of these encryption solutions are native to the respective operating system and offer significant improvement in system performance. Symantec's Pretty Good Privacy (PGP) is being phased out and may only be used to support legacy devices requiring encryption. Mobile devices, such as tablets and smartphones, are encrypted using native device encryption that is enforced by our mobile device management solution.
What can I do if my device does not meet hardware requirements?
ITS recommends Macintosh users upgrade to OS X 10.7 Lion or higher. Encryption solutions for previous versions of OS X, such as the original version of FileVault, do not provide whole disk encryption and are not compliant with the Device Encryption policy. We also recommend that Windows users upgrade to Windows 7 or higher.
I have a desktop computer that stores confidential data as defined in the data classification policy. Can I have it encrypted?
The latest revision to the ITS Device Encryption policy (11.06) now requires that all tagged desktops are encrypted with the ITS-managed encryption solution.
Do BitLocker, FileVault 2, and PGP encrypt my entire hard drive?
Yes! Many types of encryption software do not encrypt the entire drive, but the ITS-managed encryption solutions utilize whole disk encryption, which means every sector of your hard drive will be encrypted.
How long does it take to encrypt my hard drive?
It takes about 15 minutes to install the encryption software, and then between 4 and 10 hours to finish the encryption, during which time you can use your computer normally. After the initial encryption is complete, the encryption should not disturb you while you work.
Will my computer act differently after it has been encrypted?
Devices encrypted with BitLocker Drive Encryption and FileVault 2 will not require any additional steps to access your data. Both encryption solutions are native to Windows and OS X, respectively, and require no additional logins. Legacy devices encrypted with PGP will require an additional password when first powering on your device. This separate password ensures only you can access your encrypted data. You can assign a separate password for this purpose but it can be the same as the CWID password you normally use to log into your computer.
Will my computer run slower once it is encrypted?
Occasionally, there is a minute reduction in computer speed after encryption. In general, this is unnoticeable on all but very old devices, such as those more than four years old.
Should I back up my computer before it is encrypted?
Yes! While we do not anticipate having any problems during the encryption process, it is always a good practice to back up your data to an encrypted removable storage device and verify it for accuracy before encrypting your laptop. If you need assistance with your backup, please contact Support.
I store confidential data on a removable storage device (USB thumb drive, external hard drive, etc.). Can I encrypt my removable storage device using BitLocker or FileVault 2?
Yes, but due to compatibility with different types and versions of operating systems, we recommend choosing removable storage devices that are pre-encrypted that are compatible with nearly any computer. ITS is available to assist in choosing a compatible pre-encrypted drive.
Can I encrypt the device myself?
Yes, but due to compatibility with different types and versions of operating systems, we recommend choosing removable storage devices that are pre-encrypted that are compatible with nearly any computer. ITS is available to assist in choosing a compatible pre-encrypted drive.
Why and how do you verify my identity if I forget my password?
We verify your identity because we want to ensure you are who you say you are before we give you a password or enter a recovery key to provide access to your data. We do not want someone who has stolen your laptop to circumvent our encryption system by claiming to be you. Prior to encrypting your device, you will be required to sign up for the myPassword management system. You will be asked to answer 5 questions about yourself (i.e., what is your favorite color?, what city were you born in?, etc.). If you forget your password or need a recovery key, the Service Desk will ask you for the answers to some of these questions. Once you have answered them successfully, we will work with you to recover your data as described above. If you cannot remember the answers to your questions, we will require that you visit us and show an ID or, if that is not possible, fax a copy of your ID to us for verification.
How does encryption work?
There are many types of encryption but the basic concept is to encode information (data) so that only those with the right "key" can decode and use it. Keys can be any random string of letters and numbers. For more information about the various encryption solutions used by ITS, visit the links below:
I've already encrypted my device on my own. Do I have to use the ITS-managed encryption solution?
Yes. In order to properly secure and protect the information stored on your tagged device, an ITS-managed encryption solution must be used.
What is the Information Security Breach and Notification Act? What does encryption have to do with it?
The Information Security Breach and Notification Act, or ISBANA, is a New York State regulation that requires institutions such as WCMC that believe social security numbers, bank information numbers, or credit card numbers were stolen or lost from computers they own or operate (such as laptops, mobile devices, or desktops) to publically report the theft or loss to every individual affected. This is an expensive and timely process that could adversely affect the reputation of WCMC.
WCMC is requiring encryption in order to implement extra security safeguards in the event of theft or loss. Lost or stolen encrypted devices are not subject to the notification requirement of the ISBANA regulations.