Encryption Requirements
Introduction
- Encryption is the process of making information unreadable to protect it from unauthorized access. After information has been encrypted, a secret key or password is needed to unencrypt it and make it readable again. This document defines standards that Users must comply with for encrypting Devices and files used to access or store UBC Electronic Information so that the information is protected from unauthorized access. This standard may also be used to protect the User’s own personal data, e.g. personal banking information.
- This standard incorporates the legal requirement to encrypt Personal Information stored on Devices, which has been affirmed by the British Columbia Information and Privacy Commissioner in their interpretation of the BC Freedom of Information and Protection of Privacy Act (FIPPA).
- The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.
Password Protection and Zipping
- Password protecting a Device or file merely creates a barrier that can be easily bypassed by a technically knowledgeable individual. By contrast, encrypting a Device or file protects information by ”scrambling” it to make it unreadable. It is virtually impossible to bypass encryption that complies with UBC standards.
- Also, zipping files does not automatically encrypt them; a zip file is simply a way to compress data into an easy-to-transport package. Most zip programs contain the ability to protect the compressed file with strong encryption, but this feature is not turned on by default.
Device-Level Encryption Requirements
- Encryption requirements apply to Devices, whether UBC-supplied or personally-owned, that are used to access UBC Electronic Information and Systems, or store UBC Electronic Information. Encryption must be implemented as follows:
Device Types Encryption Requirements Recommended Toolset Laptop and desktop computers Full disk encryption is required.
For Users Working Remotely on personally-owned desktop or laptop computers, refer to the Working Remotely standard for supplemental guidance.
Use native encryption for Windows (BitLocker), macOS (FileVault) or Linux (see section 5, Encryption of Devices using Operating Systems other than Microsoft Windows and Apple macOS). Smartphones, tablets and PDAs Device-level encryption is required. iOS and Android Devices with a vendor-supported OS (still receiving updates) connecting to FASmail using the native ActiveSync client are automatically encrypted. Mobile Storage Devices/Media Device/media-level encryption is required. Refer to How to Encrypt USB Sticks and Other Removable Media guideline. Servers Servers located in datacentres that comply with the Physical Security of UBC Datacentres standard No full disk encryption required. n/a Third party servers that have an equivalent level of security to the Physical Security of UBC Datacentres including:
- Datacentres at other higher education institutions and health authorities, in Canada
- EduCloud
- Compute Canada HPC
- Other third party servers approved by the CISO
No full disk encryption required. n/a Other servers than listed above. Full disk encryption is required.
See section 4 for Cloud-based Encryption Requirements, e.g. AWS Canada and SaaS.
Use native encryption for Windows (BitLocker) or Linux (see section 5). - Even in situations where encryption is not required in section 3.1, encryption may nevertheless be required to meet additional obligations such as contractual requirements.
- Using Mobile Devices to store High or Very High Risk Information is not recommended. However, there may be situations where this is necessary. For example, USB sticks are commonly used to transport large amounts of information. Also, if a Mobile Device is used to access email, these emails (including emails containing High or Very High Risk Information) may be backed up automatically on the Device. In both of these situations, encryption would be required.
- If Users are travelling abroad with a laptop that has an encrypted drive or that contains encrypted information, authorities of that country may require them to unencrypt the information or hand over the encryption keys (see Security Considerations for International Travel with Mobile Devices guideline).
- If a Device is lost or stolen, it is essential for the University to be able to accurately report on its encryption status. Users must provide a written confirmation of the encryption status and method (e.g. encrypted with BitLocker) at the time of loss or theft. University IT Support Staff may be able to assist in providing this information.
Cloud-based Encryption Requirements
- Encryption requirements apply to UBC Electronic Information and Systems stored and accessed in cloud-based technologies. Encryption must be implemented as follows:
Service Types Encryption Requirements Recommended Toolset Virtual servers, e.g. AWS Canada and Compute Canada Cloud (IaaS).
Object-based storage, e.g. AWS S3 bucket.
Full volume encryption is required. Use native encryption for Windows (BitLocker), Linux (see section 5) or service. Software as a Service (SaaS), e.g. Workday
Platform as a Service (PaaS), e.g. platform.sh
High or Very High Risk Information must be encrypted.
Low and Medium Risk Information should be encrypted where possible.
n/a - To limit vendor access to UBC Electronic Information, encryption keys should be stored with UBC (and not the vendor) unless not technically feasible.
Encryption of Devices using Operating Systems other than Microsoft Windows and Apple macOS (e.g. Linux)
- Due to operability or performance constraints, full disk encryption is not always viable for already deployed Operating Systems other than Microsoft Windows and Apple macOS (e.g. Linux). If full disk encryption isn’t viable then any of the following alternative options are considered acceptable:
- an encrypted Virtual Machine (VM);
- an encrypted partition;
- an encrypted home directory; or
- a securely mounted directory in the UDC, e.g. TeamShare or Home Drive.
- The local IT team(s) must advise Users who implement any of the above options that:
- these alternative options are not as secure as full disk encryption;
- the User must store all Medium, High or Very High Risk Information in one of the options listed in Section 5.1; and
- the User must put full disk encryption in place as soon as practically possible.
- University IT Support Staff must also send an email to information.security@ubc.ca identifying any Users who have implemented any alternatives to full disk encryption. The CISO will maintain a record of these Users and on a periodic schedule review viability to transition to full disk encryption.
Encryption Exemptions
- The following types of UBC Systems are exempt from encryption requirements if they are fully compliant with the Encryption Exemption Criteria and they have been documented in a completed and submitted Encryption Exemption Attestation Form:
- Direct Attached Storage (DAS);
- kiosks;
- public workstations;
- instructional lab workstations;
- instrument controllers; and
- lectern/podium workstations.
- If the UBC System cannot be encrypted and is not compliant with the Encryption Exemption Criteria, then a variance must be requested from the CIO, as per the Requesting Variances from Information Security Standards standard.
File-Level Encryption Requirements
- For instructions on encrypting Word, Excel and other general files, refer to the How to Encrypt Files Using Common Applications guideline.
- For requirements on emailing UBC Electronic Information, refer to the Transmission and Sharing of UBC Electronic Information standard.
Password Requirements
- Strong passphrases or passwords must be used for encryption in compliance with the Passphrase and Password Protection standard.
- If the password (also called a ”key”) is forgotten or lost, the data may be unrecoverable. Therefore, it is essential to have a key recovery strategy. Where operationally feasible, faculty and staff can use the University’s Key Escrow services, or simply write down the password and store it in a secure location such as a safe. Further information about key recovery can be found in the Cryptographic Controls standard.
Technical Requirements
- UBC’s minimum encryption standard is AES-128 bit encryption or equivalent; AES-256 bit encryption is recommended. Further technical requirements can be found in the Cryptographic Controls standard. University IT Support Staff, including staff in the IT Service Centre, are available to assist Users to implement these requirements where necessary.
Related Documents and Resources
- BC Freedom of Information and Protection of Privacy Act (FIPPA)
- Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
- Working Remotely standard
- Setting Up UBC Faculty & Staff Email Using ActiveSync
- How to Encrypt USB Sticks and Other Removable Media guideline
- Physical Security of UBC Datacentres standard
- Security Considerations for International Travel with Mobile Devices guideline
- Encryption Exemption Criteria
- Encryption Exemption Attestation Form (with CWL credentials)
- Systems for Encryption Exemption
- Requesting Variances from Information Security Standards standard
- How to Encrypt Files Using Common Applications guideline
- Transmission and Sharing of UBC Electronic Information standard
- Passphrase and Password Protection standard
- Cryptographic Controls standard
Standard Last Revised: 2023-09