Encryption Exemption Criteria

Information Security Guideline

UBC Systems are exempt from encryption requirements if they are fully compliant with the criteria below, and they have been documented in a completed and submitted Encryption Exemption Attestation Form:

Direct Attached Storage (DAS) – External

External Direct Attached Storage (DAS) is an external array of drives that is not considered portable, and cannot easily be carried or moved by an average individual.

  1. The DAS requires a Server or host system to operate.
  2. The DAS is not network accessible without a host system.
  3. The DAS is locally mounted on a host, e.g. connected via Thunderbolt 3.
  4. The DAS is physically secured via security cable, locking cabinet or other similar physical security measure.
  5. The information on the DAS is Low Risk Information only and will never change to be of a higher risk level.

Direct Attached Storage (DAS) – Internal

Internal Direct Attached Storage (DAS) is DAS that is internal and housed in a Server.

  1. The Server housing the DAS is physically secured via security cable, locking cabinet or other similar physical security measure.
  2. The information on the Server is Low Risk Information only and will never change to be of a higher risk level.

Kiosk

Kiosks are interactive terminals for short-term use that provide access to specific information and applications without a user login.

  1. Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is daily, but at a minimum at least once per week.
  2. Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
  3. The terminal is not visible or accessible from the Internet.
  4. USB ports are disabled.
  5. CD/disk drives are disabled.
  6. Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
  7. The information on the Kiosk is Low Risk Information only and will never change to be of a higher risk level.

Public Workstation

Public Workstations are permanent, shared Workstations for short-term use that require a user login.

  1. Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
  2. Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is after every session, but at a minimum daily.
  3. Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
  4. Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
    1. after a maximum session length of 12 hours; and
    2. where reasonable, after 30 minutes of User inactivity.
  5. The Workstation is not visible or accessible from the Internet.
  6. CD/disk drives are disabled.
  7. Endpoint Detection and Response (EDR) software approved by the CISO has been installed.

Instructional Lab Workstation

Instructional lab workstations are located in an instructional lab space for students that require a user login. These do not include Workstations dedicated to a specific course or used for research.

  1. Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
  2. Software or process controls that wipe session data (including anything cached locally) are in place. The recommended frequency is after every session, but at a minimum daily.
  3. Logs are sent elsewhere (e.g. a separate log storage service) prior to session data being wiped.
  4. Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
    1. after a maximum session length of 12 hours; and
    2. where reasonable, after 30 minutes of User inactivity.
  5. Endpoint Detection and Response (EDR) software approved by the CISO has been installed.
  6. (Recommended) The Workstation is not visible or accessible from the Internet.

Instrument Controller – No data stored

Instrument controllers – No data stored are Workstations used for controlling instrumentation where no data is stored on the Workstation.

  1. The Workstation is not visible or accessible from the Internet.
  2. USB ports are disabled, except when used for serial license keys.
  3. Endpoint Detection and Response (EDR) software approved by the CISO is installed where technically possible, as per the Securing Computing and Mobile Storage Devices/Media standard.
  4. (Recommended) Screensaver Locks/Idle Timeout has been set as per the Securing Computing and Mobile Storage Devices/Media standard.

Instrument Controller – Data stored

Instrument controllers – Data stored are Workstations used for controlling instrumentation where data captured from the instrument (e.g. microscope, IoT Device, MRI machine, genetic sequencer) is stored on the Workstation.

  1. Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
  2. Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
    1. after a maximum session length of 12 hours; and
    2. where reasonable, after 30 minutes of User inactivity.
  3. The Workstation is not visible or accessible from the Internet.
  4. USB ports are disabled, except when used for serial license keys.
  5. Endpoint Detection and Response (EDR) software approved by the CISO is installed where technically possible, as per the Securing Computing and Mobile Storage Devices/Media standard.

Lectern/Podium Workstation

Lectern/podium workstations are multi-purpose Workstations located in a classroom for instructor use.

  1. Individual user login is required to access the Workstation (CWL recommended). No generic logins permitted.
  2. Authenticated sessions must timeout as follows, after which Users must reauthenticate to continue an existing session or establish a new session:
    1. after a maximum session length of 12 hours; and
    2. where reasonable, after 30 minutes of User inactivity.
  3. The Workstation is not visible or accessible from the Internet.
  4. Endpoint Detection and Response (EDR) software approved by the CISO has been installed.

Related Documents and Resources

  1. Encryption Requirements standard
  2. Encryption Exemption Attestation Form (with CWL credentials)
  3. Systems for Encryption Exemption

Criteria Last Revised: 2023-09