Data Encryption Policy

Purpose

The purpose of this policy is to establish the types of devices and media that need to be encrypted and when encryption must be used. These guidelines have been established in order to protect the confidentiality of Babson College personal information on all Babson-owned portable computers, electronic devices and media capable of storing electronic data.

General/Definitions

Encryption is required for all Babson-owned portable computing devices that may be used to store personal information in accordance with applicable State and Federal law. ITSD will provide, install, configure and support data encryption where it is needed. Babson managed personal information shall not be stored on personally-owned portable computing devices.

Data Security Committee: A committee comprised of the Data Security Officers, the Vice President and General Counsel, the Director of Student Financial Services, the Associate Vice President for Human Resources and the Controller whose role is to identify and assess internal and external risks to the security, confidentiality, and integrity of sensitive paper and electronic records which contain personal information.

Data Security Liaison: The office, department and division designate who is responsible for restricting access to records and files containing personal information to those who need such information to perform their job duties; monitoring unauthorized use of or access to personal information within that office, department or division; and reporting any such unauthorized use of access to the DataSecurity Committee.

Encryption: A process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used.

Encryption Key: A password, file or piece of hardware that is required to encrypt and decrypt information, essentially locking and unlocking the data.

File Based Encryption: A method for encrypting data at the file system level. Data is encrypted on an individual file basis. The whole drive is not encrypted.

Portable Computing Device: Any readily portable device or storage medium capable of storing College-managed electronic data. Examples include (but may not be limited to): laptop computer, netbook, smart phone, personal data assistant (PDA), USB hard drive, flash drive. For purposes of this policy, the portable computing devices considered in scope are limited to laptops, netbooks, USB hard drives and flash drives and Blackberries, to the extent technically feasible.

Personal information: An individual’s first name and last name or first initial and last name in combination with one or more of the following data elements: social security number, driver’s license number or state-identification card number, or financial account number, or credit or debit card number, with or without any required security code, access code, personally identifiable identification number or password, that would permit access to a resident’s financial account. (Massachusetts General Law Chapter 93H)

Sensitive Information: Data whose disclosure would not result in any business, financial or legal loss but involves issues of personally identifiable credibility, privacy or reputation. The security and protection of this data is dictated by a desire to maintain staff and student privacy.

Organizational Scope

This policy affects faculty, staff and students who are authorized to store personal information on Babson-owned portable computing devices. This policy applies to all Babson-owned portable computing devices storing Babson-managed personal information.

Policy Content and Guidelines

ITSD will provide file based encryption technology to protect laptops and other portable computing devices identified by the DataSecurity Committee and/or the Data Security Liaison as containing Babson-managed personal information.

Any Babson-owned portable computing device containing personal information must employ file based encryption as defined in this policy to protect this data. Conversely, any Babson-owned portable computing device not employing file based encryption must not store personal information.

Only file based encryption solutions approved by ITSD and configured according to standards set by ITSD may be utilized to satisfy the requirements of this policy. The encryption solution will centrally manage the file based encryption client software for all systems, including encryption format, key management and logging. ITSD will centrally maintain copies of encryption keys and encryption audit logs. The College retains the right to decrypt data using the centrally maintained key as required.

It is the responsibility of the Data Security Liaison in each organization to ensure that systems requiring encryption are identified, and that encryption is properly deployed on these systems.

Users must report any known, unencrypted personal information on portable computing devices to the IT Service Center at extension 4357 and request assistance in removing the data or acquiring encryption software.

It is a violation of this policy for anyone to attempt to disable, remove, or otherwise tamper with the encryption software. Failure to comply with this policy regarding the encryption of Personal Information may result in disciplinary action up to and including termination of employment.

Approval Agency

Executive Vice President/Executive Dean
Vice President for Administration and CIO Vice President and General Counsel

Approval Dates

This policy was originally approved on:
This version was approved on:
This version takes effect from:
This policy will be reviewed by:

Policy Sponsor

Director, IT Support Services

Contact

IT Support Services

Access the More in this section