Printable Version in PDF Format ()
Table of Contents
- History
- Purpose
- Scope
- Policy Statement
- Definitions
- Roles & Responsibilities
- Process
- Enforcement
- Related Documentation
- Contact
- Assessment Requirements
- Revision History
History [top]
Business Practice Number: BP-05-011
Title: Workstation Encryption
Effective Date: 10/01/2025
Last Revised: 10/01/2025
Approved By: James August, Chief Information Officer
Purpose [top]
This Business Practice establishes the requirement and process for encrypting workstations at 91³Ô¹Ï. The purpose is to reduce the risk of sensitive data exposure through the loss or theft of devices. Encryption is a critical safeguard against security breaches that could result in violation of legal statutes, financial penalties, reputational harm, and loss of public trust.
Scope [top]
This practice applies to all University-owned and -managed workstations, including desktops, laptops, and tablets, that are used by faculty, staff, auxiliaries, and contractors.
Policy Statement [top]
- All workstations that process or store Level 1 or Level 2 sensitive data (confidential or internal use) must be encrypted.
- As a general practice, all University-provided and maintained workstations will be delivered and managed by ITS in an encrypted state, regardless of whether sensitive data is anticipated to be stored.
- Any user or group requesting to operate a university managed workstation without encryption
must obtain an exemption from the Chief Information Security Officer (CISO). Exemptions
will only be considered when:
- The device does not contain or process sensitive data.
- The requesting unit demonstrates a valid operational need for non-encryption.
Definitions [top]
Encryption: The process of encoding information to prevent access by unauthorized parties. For 91³Ô¹Ï workstations, full-disk encryption (e.g., BitLocker for Windows, FileVault for macOS) is the standard.
Sensitive Data: Information classified as Level 1 (Confidential) or Level 2 (Internal Use) according to CSU data classification standards.
Roles & Responsibilities [top]
- ITS User Services (Workstation Administrator)
- Deploys all University workstations with full-disk encryption enabled.
- Maintains central management of encryption keys and compliance status.
- Information Security (ISO)
- Ensures compliance with CSU and 91³Ô¹Ï security standards.
- Reviews exemption requests and makes recommendations to the CISO.
- Monitors encryption compliance through periodic assessments.
- Chief Information Security Officer (CISO)
- Reviews and approves or denies requests for exemption from workstation encryption.
- Maintains records of approved exemptions.
- Users/Departments
- Must not attempt to disable encryption on university-managed workstations.
- Responsible for submitting exemption requests if encryption interferes with required work.
Process [top]
Standard Encryption Deployment
- All workstations deployed by ITS will be encrypted prior to delivery.
- Encryption status is verified at setup and monitored periodically by ITS.
Exemption Process
- A user or department seeking exemption must submit a request to the CISO through the IT helpdesk.
- The request must:
- Identify the device(s) in question,
- Provide justification for exemption
- Confirm that the device will not store or process sensitive data.
- The CISO will review the request.
- The CISO may grant or deny the exemption. Approved exemptions will be documented.
Compliance Assessments
- Information Security will conduct periodic reviews of encryption status across university-managed devices.
- Findings will be reported to ITS leadership, and remediation steps will be initiated where required.
Enforcement [top]
Non-compliance with this practice may result in revocation of device access to university systems and networks, and escalation to division leadership.
Related Documentation [top]
-
CSU Information Security Policy – ICSUAM 8000 series
-
CSU Information Security Standard – 8050.S100 Common Workstation Configuration Standard
Contact [top]
Information Security Team – infosec@csuci.edu
ITS Help Desk – helpdesk@csuci.edu
Assessment Requirements [top]
Assessment requirements and history are listed in the grid below.
|
Description |
Frequency |
RoleAssigned |
|
Review of the business practice |
Annual |
CISO |
|
Review list of the encrypted and not encrypted devices |
Annual |
CISO, Director of User Services, Director of Technology Infrastructure |
Revision History [top]
|
BP Number |
BP.05.011 |
Date created |
10/01/2025 |
Revised by |
|
Revision number |
Revision date |