Communications from Senior University Management
August 5, 2014 letter regarding encrypting employee laptop and desktop computers
Proactively encrypting your laptop and desktop computers is the single most important step you can take to protect your information and the University's data in the event the device is lost or stolen. The University has established a goal of verifiably encrypting all faculty, staff and postdoc Macintosh and Windows computers by May 31, 2015, and we are asking you to begin now using one of three options presented below. This requirement applies to both Stanford and personally owned computers that will continue to be used for Stanford activities on the campus network, other than those granted exceptions due to special research requirements. Anyone who stores, transmits or accesses Prohibited or Restricted information as defined under the Data Classification Guidelines should have all data encrypted now and not wait until the May 31, 2015 deadline.
As you may know, an Ad Hoc Faculty Committee on IT Privacy met last spring on a wide variety of information security issues and affirmed the importance of encrypting employee computers used for Stanford activities. When these systems are lost or stolen, it often leads to months of follow-up and remediation effort that could have easily been prevented if the systems had been encrypted. Over 16,000 University employee laptops and desktops are already encrypted (thank you!) via the Stanford Whole Disk Encryption (SWDE) service, which turns on the built-in encryption capabilities of both Macintosh and Windows computers. SWDE includes the University's systems management utility called BigFix, which also periodically verifies encryption status and collects other information regarding the device.
On rare occasions during the encryption process, we have seen disk failures occur. For this reason as well as being a general best practice, you are strongly encouraged to back up your files before starting to encrypt. CrashPlan PROe provided by IT Services is the recommended backup service and is widely used within Stanford, but your local IT group may provide other options. CrashPlan encrypts your backups for secure storage and also provides the option of setting a secondary password to ensure that only you can restore the files. You can find information about CrashPlan on the SecureComputing website.
For encrypting your computer, there are currently three options:
1) In order to make rapid progress toward the May 31, 2015 deadline, we are presently focused on encrypting the more than 15,000 computers with BigFix already installed that have native encryption capability but are not yet encrypted. For those SWDE-ready computers, users will soon be requested to initiate the encryption process, beginning with a short "(Stanford Device Identification") questionnaire that will appear on the screen as early as August 12, 2014. In the subsequent days or weeks, the SWDE installer will ask to initiate encryption, which can be postponed until a convenient time. Campus IT support staff are familiar with the SWDE installation process and will assist as needed.
Or2) Users can download and run the SWDE installer at any time on their systems. SWDE will begin by checking the operating system and hardware configuration and will indicate if any update is needed. The SWDE installer and instructions can be found via the SecureComputing website.
Or3) For those who would like to encrypt now without using BigFix or SWDE, you have the option of checking to see if your system is encryption-ready and activating the native encryption on your own. For instructions, see the SecureComputing website. As a reminder, we strongly recommend backing up your files prior to encrypting.
On Macintosh systems, native encryption is entirely transparent once enabled. On Windows systems, the only noticeable difference will be the need to enter another password of your choosing upon booting. Some older Macintosh and Windows systems may need to be upgraded in order to be encryption capable, and your local IT staff can help you in those cases. The Information Security Office has a process for you to request an exception from the encryption requirement for research computers that are not yet capable of efficient encryption. You will find the "Request Temporary Security Exception" form on the SecureComputing website.
In the coming months, further communications about the University's encryption initiative will be sent and utilities will be made available to easily attest the encryption statuses of your computers. More information about encryption is available on the SecureComputing website, and help is available by submitting a HelpSU request. I urge you to encrypt soon as a supplement to the other information security best practices we have been recommending – including regularly patching your operating system and applications, backing up your files, choosing strong passwords and remaining vigilant for phishing attempts. Thank you for your continuing partnership in these efforts to protect Stanford's data as well as your personal information.
Chief Information Security Officer