it.ucsf.edu

Encryption Message FAQ

If I use FileVault 2 to encrypt my MacBook, how do I provide that information so that UC knows my system is encrypted?

IT asks that you submit an “Encryption Variance Request” form.  This serves as proof of encryption in the event of loss or theft.  Instructions are available here:

/services/oem-encryption/encryption-variance-request-individuals 

Further information is available on this page:

/how_do/encrypt-my-personal-laptopdesktop-installation-guidelines

When volunteer students from other universities come to do research in my lab, they bring their laptops.  Is the rule that they need to ensure the laptops are encrypted?  It's not entirely practical in all circumstances, as we frequently send non-human data to outside collaborators and they have it on their computers outside of the university, so how do we say there's a difference if they happen to be sitting in the university?

Yes, the rule is that all laptops used for UCSF business must be encrypted (/policies/ucsf-minimum-security-standards-electronic-information-resources).  While it may seem impractical, the potential fines and reputational damage outweigh the inconvenience. 

USB flash drives and SD cards:  I don't think it is practical to require people to either encrypt all such media or to not use it.  Some casual microscopy systems such as those in tissue culture rooms use consumer digital cameras to photograph cultured cells, with the data stored on SD cards in the camera.  There is not really an alternative for this, and no software interface in the camera of which I know to handle encryption.  

We recognize that even some professional cameras do not have the ability to encrypt images.  We ask that you copy images to a more secure location as soon as possible and remove the images from the camera.  Cameras should be physically secured when unattended, such as in a safe or locked cabinet.   

When we use USB Memory Sticks to transfer a PowerPoint lecture (containing patient images from patients who have given us written consent to use their images for teaching purposes) to a projection device computer at a CME meeting (outside of UCSF), those cannot be encrypted.  If we encrypt them, then the computer being used by the projectionist or the CME meeting cannot read the key because their computer doesn’t have the same encryption software.  This is one risk we just can’t mitigate.  The best we can do is to ask faculty to delete the talks from the devices after transfer, and to urge the meeting to delete the talk as well after it is given. 

We recommend you use hardware-encrypted devices such as those recommended here:  /how_do/buy-recommended-security-products.  While there may be a slight price increase on hardware-encrypted devices, the potential fines and reputational damage greatly outweigh the added cost.                                                                                                               

I just wanted to let you know that I have a brand new MacBook Pro with Mavericks and the Symantec Encryption Desktop software would not work. Do you have a suggestion for how to fix this?

We are aware of the incompatibility and are in touch with Symantec regarding the issue.  See this page:  /how_do/encrypt-my-personal-laptopdesktop-installation-guidelines

We recommend that you use FileVault 2, the built-in encryption mechanism in OS X and submit an Encryption Variance Request form to provide proof that your laptop is encrypted.  See /services/oem-encryption/encryption-variance-request-individuals.

The notice indicates that devices used for any UCSF activity require encryption. In addition, the notice indicates that desktop computers in our homes require encryption, which I also do not recall seeing previously.  Can you explain the reasons for these policies, if no patient information is viewed or stored on these devices?

There are great financial risks associated with using any non-trusted unencrypted computer; that is why we require encryption on all devices used for any UCSF business.  If you opt to use an unencrypted device, you assume the financial burden should a loss or theft occur.  The requirement that any computer used for UCSF business be encrypted is not new. 

Also, does this policy mean that I should never access UCSF mail from any computer other than my own, even if I am not viewing any patient information (for example, traveling without my laptop and using a computer at a relative’s home)? The UCSF mail site specifies that we choose public/shared vs. private computer. Should this be eliminated if we are required to access mail only from encrypted devices? 

Again, there are great financial risks associated with using any non-trusted unencrypted computer; that is why we require encryption on all devices used for any UCSF business.  If you opt to use an unencrypted device, you assume the financial burden should a loss or theft occur. 

Is FileVault 2 adequate encryption on a MacBook Air?

Yes, FileVault 2 is adequate, provided that you are using OS X 10.7 or later.  Older versions of OS X do not provide adequate encryption. 

More information is available at /how_do/encrypt-my-personal-laptopdesktop-installation-guidelines

If you use FileVault 2, you need to complete the Encryption Variance Request form here:  /services/oem-encryption/encryption-variance-request-individuals.