Due to the risk of theft or loss, all devices (laptops, desktops, smartphones, tablets, etc.) tagged by ITS must be encrypted using the ITS-managed encryption systems. Encryption shall be provided, at no additional charge, for any ITS-tagged device used by Weill Cornell Medical College faculty, staff, students, administrative officials, or - in select cases - affiliates.
Users are responsible for safeguarding confidential data on untagged devices, such as those that are individually or personally owned but used for WCMC purposes. Users shall take caution to not download or save sensitive attachments or files on untagged devices. In extenuating circumstances where confidential data must be stored on untagged devices, the devices should be (1) tagged by ITS, or (2) encrypted to ensure the confidentiality of the data. Users of untagged and unencrypted devices are responsible for safeguarding and securing WCMC confidential data. ITS is available to assist and provide "best effort" support to encrypt untagged devices. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
- Full (“whole disk”) encryption of your device using an ITS-managed encryption solution that is native to the operating system (BitLocker Drive Encryption for Windows, FileVault 2 for Mac OS X)
- Installation of the encryption software by a trained ITS technician
- Protection of data with minimal impact to user experience and device performance
- Automatic enforcement of data protection with centrally-managed policies
Cost and Fees
The encryption of ITS-tagged devices shall be provided at no additional charge. Devices not meeting the minimum operating system requirements may involve a nominal charge for upgrade. Any questions about the device encryption policy should be directed to Brian J. Tschinkel, Information Security Officer, at (646) 962-2768 or firstname.lastname@example.org.
Any exemptions must be requested via the Device Encryption Exemption Request form. Devices cannot be connected to the network without encryption without an approved exemption request by ITS Security.
Frequently Asked Questions
Q: What is device encryption, and what does it do?
A: Encryption is a technology that protects the contents of your device from unauthorized access by converting it into unreadable code that cannot be deciphered easily. It is a much stronger level of protection than typical security features, such as logging into an operating system with your CWID and password or protecting individual files with passwords. Whole disk encryption is used to protect the entire contents of your device.
Q: Do I have to encrypt my device?
A: All devices tagged by ITS and used for WCMC purposes must be encrypted using an ITS-managed encryption solution unless otherwise exempted as defined in the ITS Device Encryption policy (11.06). This is to help protect you if you store, send, or receive any of the following types of confidential data, such as:
- Social Security Numbers
- Financial information, such as credit card and bank account numbers
- Protected Health Information as defined by HIPAA
- Research information
- Other WCMC-proprietary information
Many people receive and store this information on their devices, even if they do not realize it, which is why we are mandating encryption on all tagged devices across the institution. The full definition of confidential data can be found in the ITS Data Classification Policy (11.03) and the ITS Device Encryption policy (11.06).
Q: Can I opt out of encrypting my laptop?
A: Encryption is a relatively easy way to safely secure the data on your laptop from theft, misuse and loss. In the event that an exception to encryption is proposed, you must complete the Request for Device Encryption Exemption form and have the request approved by your Department Administrator, the Department Chair, or an equivalent senior manager. All exemption requests will be reviewed by ITS Security. Any exemption denials may be appealed by the requestor and will be brought to and reviewed by the Information Security and Privacy Advisory Committee (ISPAC). Exemptions are granted temporarily and will need to be recertified annually and/or if the purpose of the device or the job responsibilities of the requestor change. If an exempted device is misplaced, lost, or stolen, all associated costs for forensic investigation and legal and regulatory reporting will be charged to your department. Please contact Brian Tschinkel, Information Security Officer, email@example.com with questions on this process.