CUMC IT. Encryption Policy. Author: Carlo Cuttitta CUMC IT Columbia University Medical Center PH , 630 West 168th Street New York, NY 10032

Transcription

1 CUMC IT Encryption Policy Author: Carlo Cuttitta CUMC IT Columbia University Medical Center PH , 630 West 168th Street New York, NY 10032

2 Document Revision History Version Author(s) Date Issued to Comments 0.01D Carlo Cuttitta/ Prasad Satavalli Aug 30, 2010 Bob De Boer Draft version issued 0.02D Prasad Satavalli Sep 03, 2010 Richard Mikelinich, Carlo Cuttitta, Bob De Boer Changes and corrections all thru based on reviews from Erwin Pili, Jason Habbal, Carlo Cuttitta, Spencer, and Bob De Boer 1.0 Prasad Satavalli Sep 07, 2010 CUMC 1.01D Prasad Satavalli Sep 07, 2010 CUMC Incorporated several additional sections suggested by Richard Mikelinich and approved by Robert De Boer. Version 1.0 issued. Incorporated minor corrections suggested by Dr Sideli Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page ii

3 Table of Contents 1 General Information Terms Used in This Document Contact Encryption Policy Owner 4 2 Encryption Policy Policy Statement Primary Guidance to the Policy Scope of This Policy Encryption Devices and Media Requiring Encryption Who is governed by This Policy Who should know This Policy Exclusions and Limitations Policy Text Recommended Encryption Software Encryption Software Installation Procedure Encryption Software Usage Guidelines Disclaimers Export Control Laws 9 3 Appendices Appendix 1: GuardianEdge Encryption Software Installation Form 10 Appendix 2: Cross References to Related Policies and Information 11 Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page iii

4 1 General Information 1.1 Terms Used in This Document CUMC Columbia University Medical Center CUMC IT Columbia University Medical Center Information Technology CU Columbia University CUIT Columbia University Information Technology Client Refers to a department in CUMC Users Refers to individuals including but not limited to faculty, staff, and individuals authorized by CUMC affiliated institutions and organizations System Server and Application Service Desk CUMC IT s Service Desk Group Information Security Group (ISG) CUMC IT/NYP Security Group 1.2 Contact For submitting requests, questions, or comments on this policy please use: 5help@columbia.edu 1.3 Encryption Policy Owner Robert De Boer Deputy Chief Information Officer Columbia University Medical Center Information Technology 630 West 168th street, PH New York, NY (212) Work (212) Fax rd2293@columbia.edu Web Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 4

5 2 Encryption Policy 2.1 Policy Statement The encryption policy outlined in this document is designed to cover computers and removable storage media that store and process confidential and sensitive electronic data of Columbia University Medical Center corresponding to the definitions of confidential and sensitive data in the CUIT Data Classification Policy. 2.2 Primary Guidance to the Policy This Encryption policy responds to the following: CUIT Data Classification Policy which stipulates that sensitive and confidential data are required to be encrypted in compliance of the following: New York State Law New York State Information Security Breach and Notification Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI DSS). For accessing the CUIT Data Classification Policy, please refer to Appendix 2, Cross References to Related Policies and Information. Note: Columbia University Medical Center is also bound by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, and addresses the privacy and security concerns associated with the electronic transmission of health information. This is not yet reflected in the above referenced policy. 2.3 Scope of This Policy The encryption policy covers the following: Encryption Devices that require encryption CUMC IT recommended software for encryption Procedure for installing the encryption software, and Guidelines for using the encryption software Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 5

6 2.4 Encryption Encryption is the conversion of data into a format that is not understandable. Only with proper access such as a user name and a password the data can be decrypted made understandable again. In simple terms, if a computer is encrypted by installing encryption software, the files, programs, and data on it are accessible only to the user who has a valid user name and password to that computer. Without a valid user name and password nobody can access the data on that computer. Encryption software protects laptops and computers when they are lost, stolen, or if someone who is not authorized to access them tries to access them. Files on removable media can be protected by encryption using encryption software. Encrypted computers and encrypted files on removable media cannot be accessed without a password. All it takes is setting up a very strong password beyond guess work to ensure that encryption is fail-safe. Note: For the CUMC IT Password Policy, please refer to Appendix 2, Cross References to Related Policies and Information 2.5 Devices and Media Requiring Encryption The following devices and removable media storing confidential or sensitive CUMC data require encryption: Laptops Desktop computers USB Flash drives CD and DVD media External hard disks Portable hard drives Files sent out as attachments Note: HIPAA/HITECH calls for data to be encrypted that is in transit like interfaces. Interfaces are not mentioned here because this encryption technology is not suitable for network transfer of data; such uses are encrypted by other means, for example, SSL or IPsec. 2.6 Who is governed by This Policy This policy applies to all the CUMC users who access the medical center electronic information resources. Individuals covered include but not limited to faculty, staff, students, and individuals authorized by CUMC affiliated institutions and organizations. 2.7 Who should know This Policy Anyone who accesses the medical center s electronic information resources: employees, consultants, interns and temporary workers. 2.8 Exclusions and Limitations Existing systems and applications containing sensitive and confidential information which cannot use encryption because of technology limitations may be granted waiver on a case by case basis upon evaluation by CUMC IT and the ISG. Such systems must go through a comprehensive risk assessment to ensure that major risks are addressed via compensating controls to protect sensitive data in lieu of encryption. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 6

7 2.9 Policy Text All the laptops, workstations that store or access sensitive and confidential CUMC data as defined in the CUIT Data Classification Policy must be encrypted by installing encryption software. Files and backups from medical devices stored on removable media that store confidential or sensitive CUMC data must also be encrypted. Anytime confidential or sensitive CUMC data is placed on removable media such as CD, DVD, or portable hard drives such data must be encrypted. Anytime files containing confidential or sensitive CUMC data are ed such file attachments must be encrypted. Strong passwords must be used to protect computers. Password protected screensavers that lock the computers after five minutes of inactivity must be used to protect the computers. Files transferred to removable storage media using encryption software or files sent out as attachments after they are encrypted using encryption software must be protected with strong passwords. Removable media containing confidential or sensitive CUMC data must be kept safe and in a secure location. Related policies and information on passwords, backups, and other details is provided in Appendix 2, Cross References to Related Policies and Information Recommended Encryption Software CUMC IT recommends CUMC users to install encryption software called GuardianEdge on Windows laptops and workstations. Note: Details on how to acquire the software are provided in Appendix 1, GuardianEdge Encryption Software Installation Form. GuardianEdge is evaluated by CUMC IT to fulfill the encryption policy requirements and is made available free of cost to CUMC Encryption Software Installation Procedure 1. GuardianEdge installation requires administrative rights to the computer. For details on administrative rights please refer to the information provided in Appendix 2, Cross References to Related Policies and Information. 2. Users must have a very strong password for their computers. They must have strong password protected screensavers that turn on after five minutes of inactivity. Users must refer to the information about passwords and computer acceptable use policies presented in Appendix 2, Cross References to Related Policies and Information before installing GuardianEdge software. 3. Users must back up their data on computers or devices before downloading the GuardianEdge software. This includes all documents, worksheets, web browser favorites or bookmarks, images, files, contacts, calendar information and any other data, installation files, and licenses for software programs. 4. Data that is backed must be placed in a safe, protected, and encrypted location. Information on tools and utilities is provided on CUMC IT web site. For details, please refer to Appendix 2, Cross References to Related Policies and Information. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 7

8 5. Users must continue to back up their data at regular intervals. For details, please refer to Appendix 2, Cross References to Related Policies and Information. 6. Users must be aware that after GuardianEdge is installed it cannot be uninstalled and can only be removed by formatting the drive resulting in a total loss of data. 7. Before installing GuardianEdge software, users must fill in and submit the GuardianEdge Encryption Software Installation Form. 8. Users must refer to the GuardianEdge end user documentation and checklists before installing the software Encryption Software Usage Guidelines 1. Users must back up the data on their computers or devices at regular intervals after installation of the encryption software. This includes all documents, worksheets, web browser favorites or bookmarks, images, files, contacts, calendar information and any other data, installation files, and licenses for software programs. 2. Users must never share their user names or passwords with others or write the user name and passwords on notes or books. 3. Upon installation GuardianEdge takes several hours to encrypt the drive, the first time. Users must disable hibernation feature on the computers so that the computer does not go into hibernation there by interrupting the encryption process. After the first time encryption GuardianEdge works silently in the background on the computer. 4. While encrypting files stored on removable media, users should not interrupt the encryption process by disconnecting the removable media from the computer. Files may get corrupted when encryption process is interrupted Disclaimers 1. CUMC IT is not responsible for lost data due to corruption, malware, failure to back up, or any such reason. 2. CUMC IT is not responsible for any issues that impact computer or device performance after the encryption software is installed. 3. Encryption software does not secure computers from viruses or hacker attacks. It protects computers and laptops from unauthorized access when the computers are locked, turned off, or in a hibernation mode using a password protected screensaver. Users must continue to ensure that their computers are up-to-date with operating system updates and anti-virus and anti-spyware updates. 4. CUMC IT cannot provide support in case encryption passwords are forgotten or lost by users. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 8

9 2.14 Export Control Laws Software available from GuardianEdge Technologies, Inc. is subject to United States export controls. No software from this site may be downloaded or otherwise exported or re-exported: into (or to a national or resident of) Iran, Cuba, Sudan, Syria and North Korea or any other country to which the United States has embargoed goods; or any organization or company on the United States Commerce Department's "Denied Persons List." GuardianEdge is approved by the US Bureau of Industry and Security (Mass Market Commodity Code 5D992) for the export of our endpoint data protection products. This obviates the need for declaration or prior approval to travel with encrypted devices in most countries. GuardianEdge is approved by the French government (General Secretariat of National Defense) for import, transfer and/or supply of GuardianEdge products. China requires pre-approval before entering the country with encrypted devices. By downloading or using software from this site, users are agreeing to the foregoing and all applicable export control laws. Users are also warranting that they are not under the control of, located in, or a resident or national of any such country or on any such list. The information on export laws provided herein is not necessarily complete. For more information on export laws, please refer to United States Commerce Department, Bureau of Industry and Security at (202) or (202) You can also view online copies of the export license for the GuardianEdge Data Protection at: Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 9

10 3 Appendices Appendix 1: GuardianEdge Encryption Software Installation Form Computers and removable media that store and process the Medical Center s confidential and sensitive data corresponding to the CUIT Data Classification policy must be encrypted using encryption software in compliance with CUMC IT GuardianEdge Encryption Policy. CUMC IT offers GuardianEdge encryption software free to CUMC. Encryption software protects confidential and sensitive data on laptops and computers when they are lost, stolen, or if someone who is not authorized to access them tries to access them. Files on removable media can be protected by encryption using encryption software. Encrypted computers and encrypted files on removable media cannot be accessed without a password. All it takes is setting up a very strong password beyond guess work to ensure that encryption is effective. Before installing GuardianEdge encryption software you MUST make sure of the following: - you have a user name and a strong password to your computer, - your computer has a password protected screen saver that turns on automatically after five minutes of inactivity, and - you have backed up all the data on the computer to a safe, protected, and encrypted location. (You must continue to back up your computer at regular intervals even after GuardianEdge is installed) First Name: Title: Last Name: Department: UNI: Computer Serial Number: My computer is less than 3 years old* Note: CUMC IT recommends that your computer should not be older than 3 years and that you have made a full backup of your data before installing GuardianEdge. I have completed a full backup of my data* I have gone through the CUMC IT Password policy * I have a strong password to my computer (e.g. 8 characters or longer, use a combination of upper and lower case letters, Include at least one numeric and/or special character etc).) My computer has a password protected screensaver that turns on after five minutes of inactivity I have one of the following computer models: Latitude OptiPlex Dimension Note: If you do not have one of the models listed above please contact 5-Help ( ). Please be advised that GuardianEdge cannot be installed on Latitude Z600 models. My computer s Operating System*: Windows XP Windows Vista Windows 7 Note: At the present time GuardianEdge is not compatible with Macs. By installing GuardianEdge software: - I agree that I have read the CUMC IT GuardianEdge Encryption Policy and the related CUMC IT and CUIT policies on data classification, computer backup, passwords, encryption tools, administrative rights, and acceptable use stated in the GuardianEdge Encryption Policy. - I have gone through GuardianEdge Encryption end user documentation. - I take full responsibility for any consequences that may arise after the software is installed on my computer or equipment Signature/Approval*: Date: MM /DD /YYYY (Please type in your full name) Submit Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 10

11 Appendix 2: Cross References to Related Policies and Information Users are required to be in the know of the following policies and information before downloading and installing GuardianEdge encryption software: Data Classification Policy: CUMC IT and CUIT Data Classification policy described on CU web site at: 119b4fac83a0003.html?base=responsible_office Passwords: CUMC IT Password policy described on the CUMC IT website at: Backing up computers: Computer Backup information described on the CUMC IT website at: CUMC IT Supported Software: CUMC IT supported software information described on the CUMC IT website at: Encryption Tools (other than GuardianEdge): List of encryption tools and their details on the CUMC IT website at: Administrative rights to computers: CUMC IT Administrative Rights policies for computers on the CUMC IT website at: GuardianEdge end user documentation and checklists: To be made available by CUMC IT. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 11