Purpose

The purpose of this standard is to to ensure the confidentiality, integrity, and availability of data handled by the organization and its members by establishing requirements for the use of device encryption on endpoint devices¹. Further, this standard supports compliance with legal requirements, regulatory obligations, and security frameworks.

Scope

This standard applies to all endpoint devices ("devices") owned, managed, or maintained by the University including vendor management of these devices.

Scope Exemptions

This standard does not apply to personally-owned devices.

Standard

All scoped devices must meet the following criteria:

1. Devices must implement full-disk encryption² for all internal storage³ where capable. Where not capable, devices must at a minimum implement encryption for boot partitions⁵ and data partitions for all internal storage.
2. Devices must escrow decryption keys in a central key management repository⁴.
3. Devices must undergo periodic reviews and recertification to ensure they remain encrypted and compliant with this standard.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or support teams are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office through the University’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• The information technology team and functional business units associated with the exception request
• Systems affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The Information Security Office will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. Servers are systems that provide services to other systems including but not limited to server operating systems, appliances, hypervisors, networking equipment, databases, web applications, and more. Endpoints are systems that exclusively consume services from other systems including but not limited to desktops, laptops, tablets, mobile devices, and more. All systems are classified as either a server or an endpoint.
2. Full-disk encryption (FDE) is a security control that encrypts all data on a storage device. FDE protects devices from unauthorized access to data and data loss. Examples of encryption solutions are Bitlocker and FileVault. The Secure Enclave and Data Protection features of Apple silicon are not compliant with this standard's encryption requirements without also having FileVault enabled for the boot and data partitions (may report "partial encryption" in Jamf reporting).
3. Internal storage is storage physically inside of a device including hard drives and solid state drives. External storage is storage physically outside of a device, usually portable and easily disconnected, including flash drives or external drives.
4. A key management repository is a system purpose-built to maintain secrets, such as decryption keys. Examples include Microsoft 365 (Entra/Azure), Active Directory, Keeper, Jamf, and System Center (SCCM).
5. Boot partitions, for the purposes of this standard, are critical partitions on a disk responsible for secure system startup tasks, such as loading the system kernel and starting the operating system. Data partitions, for the purposes of this standard, are defined as any partitions where University or user data can be stored.

Roles & Responsibilities

Compliance

The Information Security Office will report on configuration management status to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

NIST 800-53 Security and Privacy Controls for Information Systems and Organizations: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

Jamf FileVault Deployment (configuration profile recommended): https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Activating_FileVault_Disk_Encryption_using_a_Configuration_Profile.html

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

3.6 Encrypt Data on End-User Devices: Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

3.9 Encrypt Data on Removable Media: Encrypt data on removable media.

3.11 Encrypt Sensitive Data at Rest: Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.