Encryption

Encryption

What is encryption?

Encryption refers to the process of converting your information into a form that cannot be understood by anyone who is not permitted to view that information. Without encryption it is very easy for a criminal, such as a computer hacker or an identity thief, to intercept and view your work.

Encryption should be used to protect against the loss and theft of valuable information when it is:

  • Stored on portable computing devices such as laptops, tablets and smart phones
  • Stored on portable storage devices such as USB flash drives and external hard disk drives
  • Sent as an email attachment
  • Sent across the Internet

The types of information you should encrypt includes:

  • Personal information that is protected under the Data Protection Act (e.g. staff, student and medical data)
  • Information that is protected by a contractual agreement (e.g. financial or commercially sensitive data provided by a private sector company)

Recommended encryption products

If storing protected information on:

  • A Windows computer
    Encrypt that information with Microsoft Bitlocker.
  • A Linux computer
    Encrypt that information with TrueCrypt if no built-in encryption is available.
  • An Apple Macintosh
    Encrypt that information with Apple FileVault.
  • A portable storage device
    Use a USB data stick or hard disk drive that provides AES-256 encryption. The ISS Information Security Team can advise on which devices to use.

If sending protected information via:

  • Email
    Protect that information using the AES-256 encryption capabilities built into 7-Zip and WinZip. Both products can be used to create encrypted ZIP file archives that can be attached to an email.
  • The Internet
    Contact the ISS Information Security Team for guidance on appropriate solutions such as Secure File Transfer Protocol (SFTP).

If you are a member of staff, the ISS Service Desk or your local computing officer can arrange installation and configuration of these encryption products. If you are a student, further guidance is available from the organisation that created the encryption product.

Devices that cannot be encrypted

It is not always possible to encrypt the newer types of mobile computing device, such as tablets and smart phones. It is recommended that you seek advice from the ISS Information Security Team before storing information on these types of devices.

Other important points to remember about encryption

  • It is not possible to recover your information should anything go wrong during the encryption process or if you forget your encryption passphrase or lose your encryption key. Always keep a non-encrypted master copy of your valuable information on the ISS Filestore.
  • Do not store protected information on a portable computing device or portable storage device, or send that information by email or via the Internet, unless absolutely necessary.
  • If you have no other option but to store protected information on a portable computing device or portable storage device, keep that information to a minimum.
  • Protected information should only be stored on a portable computing device as a temporary measure (e.g. if it is not possible to use the ISS Remote Access System).
  • You should only store protected information on a portable storage device for data transfer purposes, and when no other secure data transfer method is available.
  • Remove all protected information from the portable computing device or portable storage device if it no longer needs to be kept on the device.
  • Just like your bank card and PIN, never store your encryption passphrase or key with your encrypted information.
  • Use a long encryption passphrase that is at least ten characters long and contains a mix of alphabetic, numeric and punctuation characters. An example of such a passphrase is: “I’ve worked in HE for 3 years!
  • Always keep a record of the devices that you have encrypted. This will allow you to confirm if a device was encrypted if it is lost or stolen.