1.06 – Device Encryption
Last updated : January 14, 2022
This policy is will be effective from Monday 17 January 2022
To see prior version, please click here.
Estimate Reading Time : 5 minutes
All users of desktops, laptops, tablets, and mobile devices (whether Information Technologies & Services [ITS] tagged or untagged) must take care to protect high risk data. All devices tagged by ITS and used for PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. (“Company“) purposes must be encrypted using an ITS-approved encryption solution unless a variance has been submitted and approved as defined in this policy. Users shall take care when accessing, storing, or transmitting high risk data on untagged devices, as described in this policy. All untagged removable storage drives, such as external hard drives or USB flash drives, must be encrypted if containing high risk data.
Reason for Policy
Encryption provides strong protection by making data inaccessible to those without proper access credentials. Additionally, encryption can exempt Company from reporting requirements in the event of a theft or loss under the Information Security Breach and Notification Act, and it meets many of the security standards defined under the HIPAA Security Rule.
Entities Affected by this Policy
PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC (“Company”).
Who Should Read this Policy
All individuals provided with a PopIt Snack Account (“PSAID“) for accessing Platform information systems and accessing, storing, sending, receiving, or transmitting any Platform data.
Web Address of this Policy
1. Encryption of Supported Devices
Encryption shall be provided, at no additional charge, for any tagged device used by Company Department, staff, administrative officials or, in select cases, affiliates that is not otherwise exempted from this rule.
Company Department, staff, and affiliates with encrypted devices who are terminating their relationship with PopIt Snack Platform must inform ITS or their department head prior to termination so that the encryption software and confidential data can be safely removed.
2. Encryption of Unsupported Devices
Users are responsible for safeguarding high risk data on untagged devices, such as those that are individually or personally owned but used for Company purposes. In situations where an individual needs to access Company high risk data from an untagged device, secure channels shall be used. Examples of known secure channels are ITS-supported remote access connections, Wi-Fi networks secured with a password (not in public cafés or hotels), or webmail. Users shall take caution to not download or save sensitive attachments or files on untagged devices. In extenuating circumstances where high risk data must be stored on untagged devices, the devices should be encrypted to ensure the confidentiality of the data. Users of untagged and unencrypted devices are responsible for safeguarding and securing Company high risk data.
ITS is available to assist and provide “best effort” support to encrypt untagged devices. Users are strongly encouraged to make an encrypted backup of the device data and verify it for accuracy and completeness.
3. Removable Storage Devices
High risk data stored on removable storage devices must be encrypted. Examples of removable storage devices include, but are not limited to, flash drives, external hard drives, memory cards, and optical discs. Strong hardware- or software-based encryption algorithms such as the Advanced Encryption Standard (AES) with at least 256-bit keys should be used. Examples of compliant encryption software for removable storage devices include Apple FileVault 2, Microsoft BitLocker, LUKS (for Linux systems), and VeraCrypt (open source). When encrypted removable storage devices are used to share high risk data, the encryption password must be shared separately and in a secure manner, such as encrypted email.
4. Variances to this Policy
All end user devices (regardless of individual or company worker) must be encrypted if they access, store, send, or receive high risk data. Variances shall be considered in relatively unusual circumstances only when the following conditions are met:
- The device is demonstrated not to contain protected data at least annually and users attest that it will never be used for protected data;
- The device does not meet the minimum hardware requirements to support encryption or is known to be incompatible with a Company application;\
- No practical encrypted alternative is available; and,
- A completed variance request form is submitted to ITS Support with approval from the user’s department administrator.
There is significant risk in not encrypting devices used to access Company data and a breach may result in regulatory sanctions and fines for the Company and the individual responsible for the data.
Any devices with an approved variance to this policy that change possession or are repurposed must be encrypted or filed under a new variance request.
5. Device Decommission and Decryption
Users leaving Company must notify ITS in advance of leaving so any managed encryption software and high risk data can be safely removed. Contact ITS Support to schedule the removal.
6. Additional Resources
Asset Disposal Form
Variance Request Form
7. Related Policies
1.03 – Data Classification
1.17 – Identity and Access Management
These definitions apply to institutions and regulations as they are used in this policy. Definitions of technical terms are supplied by NIST IR 7298 Revision 2, Glossary of Key Information Security Terms.
- Company: PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC.
- ITS: Information Technologies & Services Department
- PII: Personally identifiable information, as defined in GAO-08-536 Privacy Protection Alternatives, is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
- PHI: Protected health information, as defined in Title 45 CFR §160.103, is individually identifiable health information that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information (i) in education records covered by the Family Educational Rights and Privacy Act (FERPA), as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by a covered entity in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.
- HIPAA: Health Insurance Portability and Accountability Act of 1996.
- high risk data: As defined in ITS 11.03 – Data Classification, high risk data includes, without limitation, the following: PHI; PII; financial data, including data covered under the Gramm-Leach-Bliley Act (GLBA) and the information pertaining to credit cards covered by the Payment Card Industry Data Security Standard (PCI DSS); employment records, including pay, benefits, personnel evaluations, and other staff records; research data involving human subjects that are subject to the Federal Policy for the Protection of Human Subjects (Common Rule) as defined in Title 45 CFR §46.101 et seq.; and user account or system passwords that provide access to information systems or applications containing any of the above confidential data elements.
- tagged device: A tagged device that is supported by ITS and is permitted to connect to the Company network and access selected Company services.
- untagged device: A device that is not supported by ITS and is not permitted to connect to the Company network.
- removable storage: A portable storage device such as a floppy disk, compact disk, USB flash drive, external hard drive, and other flash memory card/drive that contains nonvolatile memory.
- encryption: A process which converts plain data into a coded form or cipher in order to prevent unauthorized access.