This policy covers all computers, electronic devices, and media capable of storing electronic data that house Loyola Protected data or Loyola Sensitive data as defined by the Data Classification Policy. This policy also covers the circumstances under which encryption must be used when data is being transferred.
The purpose of this policy is to establish the types of devices and media that need to be encrypted, when encryption must be used, and the minimum standards of the software used for encryption.
Devices and Media Requiring Encryption: All ITS managed databases that contain Loyola Protected Data must encrypt the Data at rest. All databases, application servers and file systems that contain Loyola Protected Data must leverage appropriate access control, per the Access Control Policy, to ensure that access to the Data is limited to those whose job functions require access.
Encryption is required for all laptops, workstations, and portable drives that may be used to store or access Loyola data. Departments who have a laptop, workstation, or portable drive that needs to be encrypted should contact the ITS Help Desk.
Electronic Data Transfers: Any transfer of unencrypted Loyola Protected data or Loyola Sensitive data must take place via an encrypted method. Encrypted Loyola Protected data or Loyola Sensitive data may be transmitted via encrypted or unencrypted methods. All email communications that involve email addresses outside of Loyola use an unencrypted method, and therefore require that messages containing Loyola Protected data or Loyola Sensitive data be encrypted. Approved methods of encrypting electronic data transfers are listed in the appendix. If the encryption method includes a password, that password must be transferred through an alternative method, such as calling the individual and leaving the password on their voice mail. Email messages containing encrypted data may never include the password via email. Individuals who are unsure if they are correctly encrypting electronic data transfers should contact the ITS Information Security team at DataSecurity@luc.edu.
Physical Transfer of Electronic Data: The physical transfer of Loyola Protected Data via a medium such as a CD, DVD, USB drive or other portable medium, either entirely within Loyola or between Loyola and a 3rd party, is not allowed. If there is a business need to perform a physical transfer of Loyola Protected Data, a request for an exception to the policy must be granted. The form to request an exception is at: https://itssecurity.luc.edu/pe.
Physical transfers of Loyola Sensitive Data must be encrypted. Archiving Loyola Sensitive data to a physical medium is not recommended, but is permitted if the data is encrypted. All archiving should be done electronically, so that it is stored in a controlled data center and backed up by ITS.
Software: ITS will install software that is capable of encrypting the entire hard drive on all ITS supported Loyola computers and electronic devices subject to this Policy. ITS will install encryption software on non-ITS-supported computers and devices if the software is compatible. If the computer or device is not compatible with the approved ITS encryption software and an acceptable alternative cannot be found, then Loyola Sensitive and Loyola Protected data may not be stored on the device. Users who require encryption software should contact ITS to arrange installation of encryption software.
Questions about this policy
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Examples of portable drives
- Flash drives
USB hard drives
iPhones / iPods /iPads
Smart Phones (Blackberry, Android, Windows CE devices)
Please contact the UISO at DataSecurity@luc.edu for assistance with file or drive encryption. USB flash drives/thumb drives/memory sticks can be purchased with encryption built-in. Please visit http://www.luc.edu/its/purchases.shtml to view recommended products.
ITS will make the following approved encryption methods available for electronic data transfers:
Transport Layer Security (TLS) / Secure Socket Layer (SSL)
- SSH File Transport Protocol (SFTP)
Connecting via an ITS-approved Virtual Private Network (VPN)
The approved method of encrypting email is outlined at http://www.luc.edu/its/encrypt_email.shtml. If you have any questions about the process, please contact the Information Security team at DataSecurity@luc.edu.
- Access Control Policy
- PIP Policy - Electronic Security of Loyola Protected Data & Loyola Sensitive Data Policy
- PIP policy - Data Classification Policy
May 25, 2011: Initial Policy
October 29,2012: Annual PCI Review
Author: Information Security Advisory Council (ISAC)