Purpose

The purpose of this standard is to to ensure the confidentiality, integrity, and availability of data handled by the organization and its members by establishing requirements for the use of device encryption on endpoint devices¹. Further, this standard supports compliance with legal requirements, regulatory obligations, and security frameworks.

Scope

This standard applies to all endpoint devices ("devices") owned, managed, or maintained by the University including vendor management of these devices.

Scope Exemptions

This standard does not apply to personally-owned devices.

This standard does not apply to devices with a technical limitation where no encryption solution can be used.

This standard does not apply to devices with an access limitation where encryption would result in the inability for users of the device to access it.

Standard

All scoped devices must meet the following criteria:

1. Devices must implement full-disk encryption² for all internal storage³.
2. Devices must undergo periodic reviews and recertification to ensure they remain encrypted and compliant with this standard.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• The information technology team and functional business units associated with the exception request
• Systems affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Servers are systems that provide services to other systems including but not limited to server operating systems, appliances, hypervisors, networking equipment, databases, web applications, and more. Endpoints are systems that exclusively consume services from other systems including but not limited to desktops, laptops, tablets, mobile devices, and more. All systems are classified as either a server or an endpoint.
2. Full-disk encryption (FDE) is a security control that encrypts all bits on a storage device. FDE protects devices from unauthorized access to data and data loss. Examples of FDE-capable solutions are Bitlocker and FileVault.
3. Internal storage is storage physically inside of a device including hard drives and solid state drives. External storage is storage physically outside of a device, usually portable and easily disconnected, including flash drives or external drives.
4. A key management repository is a system purpose-built to maintain secrets, such as decryption keys. Examples include Microsoft 365, Active Directory, Keeper, and other key management solutions.

Roles & Responsibilities

Compliance

The Information Security Office will report on configuration management status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

NIST 800-53 Security and Privacy Controls for Information Systems and Organizations: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

3.6 Encrypt Data on End-User Devices: Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

3.9 Encrypt Data on Removable Media: Encrypt data on removable media.

3.11 Encrypt Sensitive Data at Rest: Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.