When Encryption is Mandatory


Encryption is mandatory...

By law: on any portable device (e.g., laptop, netbook, tablet, smartphone), or removable media (e.g., CD, thumb drive, portable disc drives), or any desktop computer or server that is NOT secured within a Dartmouth data center containing Protected Health Information, or Personally Identifiable Information (name + SSN or driver's license#, or gov't issued ID#, or bank/credit card#). PHI and PII are NOT required to be encrypted when protected by other secure means within a locked data center. PII and PHI Data in transit, including email: must be encrypted when in transit outside the Dartmouth network (including Dartmouth wireless).

By Dartmouth policy: same as above, PLUS any portable device or media containing confidential information (defined as Level 2 or 3 data under DISC policy).

Encryption solutions:

  1. For Windows laptops, desktops, and some unprotected Windows servers, as well as portable disc and removable media: Bitlocker whole disc encryption, available from Information Technology Services is used. For Apple Macintosh desktops and notebooks, Filevault whole disc encryption is used.
  2. For data in transit, SSL or other communications encryption solutions, available from Information, Technology & Consulting.
  3. For email in transit outside Dartmouth, or within Dartmouth if necessary: Microsoft Forefront (not yet deployed). In the interim, place content in Word or PDF file and simply password protect the file and attach it to the message. Share the password with the recipient via separate communication.


Article ID: 64904
Tue 10/9/18 12:26 PM
Fri 4/17/20 3:30 PM