ISU SOM Encryption FAQ

• Encryption Basics
• Project Questions
• Scope
• ISU's Encryption Service and Costs
• Quality Assurance Assessment
• Technical Specifications

Encryption Basics

1. What kinds of information should be encrypted?
   Last Updated 2009/07/08
   1. All sensitive data--patient related or not--requires encryption. Sensitive data includes:
      1. Identity information (Social Security numbers, California driver’s license or identification card numbers)
      2. Financial account information (checking, savings and credit card account numbers)
      3. Student record information (grades, financial aid information)
      4. Medical record information (diagnoses, treatment information, identity information included in medical records)
      5. Other information may be considered sensitive such as:
         Intellectual property
2. Why should I protect restricted information?
   Last Updated 2009/07/08
   1. Federal and state laws require sensistive data to be protected:
      1. HIPAA (Health Insurance Portability and Accountability Act of August 1996)
      2. California Assembly Bill 211 (AB-211)
      3. California Senate Bill 541 (SB-541)
      4. California Senate Bill 1386 (SB-1386)
      5. FERPA (Family Educational Rights Privacy Act)
   2. University policy also requires protection:
      1. UCOP - IS3 Electronic Information Security
      2. UCSF 650-16 Information Security and Confidentiality policies.
   3. Financial penalties for you personally, the School, and the University could accrue for failing to protect restricted information.
3. What is encryption software and what does it do?
   Last Updated 2009/07/08
   1. Like secret codes for messages, whole disk encryption software – such as Check Point FDE – garbles information stored on computers. A password (or key) un-garbles or decrypts the information.
   2. If your computer is lost or stolen with active encryption, information on the computer will not be readable without the password.
   3. Check Point FDE uses encryption to protect data on the entire disk, regardless of where it is actually stored on the disk. Some other encryption solutions, including Microsoft EFS and Apple’s FileVault may be limited to user profiles and folders and do not actually encrypt the contents of the entire disk.
4. Why is encryption important for my system?
   Last Updated 2009/07/08
   1. Anyone with physical access to an unprotected laptop/tablet can gain access to the data stored there--even without a username/password. Encryption adds a layer of protection to guard against unauthorized access by requiring authentication.
5. What will I see after encryption software is installedd on my computer?
   Last Updated 2009/07/08
   1. In most cases, once installed, encryption software is virtually invisible, with a minor or negligible performance hit. You may see other evidence of the encryption software, for example on a Windows machine, a Check Point icon in the System Tray, a Check Point folder in the Programs folder, and a Check Point splash screen at startup.
6. If I have encryption installed, is my computer protected when I'm not using it?
   Last Updated 2009/07/08
   1. Yes. Your information is protected when your computer is powered off or hibernating because the encryption requires that you authenticate with a password for access.
7. If I have encryption installed, is my data ever vulnerable?
   Last Updated 2009/07/08
   1. Of course, your computer should always be protected by anti-virus and anti-malware software and by appropriate security patches. Security best practices include logging out or locking your computer whenever you plan to be away from the computer. Anytime you are logged in but not physically present your data is vulnerable.
8. If I have encryption installed, do I still have to remove PHI (protected health information) or RHI (research health information) from my electronic files?
   Last Updated 2009/08/03
   1. Yes. The use of encryption to help protect patient confidentiality does not override any other responsibilities or guidelines defined by the IRB/CHR, HIPAA, UCSF, UCOP and CA State law. Clinicians, researchers and staff should continue to follow the “least required” rule to limit the amount of PHI/RHI to the minimum necessary for the task at hand
9. Will encryption slow down my system?
   Last Updated 2009/07/08
   1. When the software is first installed, you may experience some performance degradation when your drive is being encrypted for the first time. However, once the encryption process is complete, the performance hit in most cases will be minimal. In some cases, the performance hit may be more noticeable, particularly with applications that read/write intensively to the hard drive.

Project Policy Questions

10. Is there a governance board that mandated this project?
    Last Updated 2009/07/08
    1. The Dean of the School of Medicine has approved this project in collaboration with the Dean’s Staff, School’s Chairs and Directors. The project is to ensure compliance with Federal and State laws, as well as protect the good name of UCSF.
11. Is ISU collaborating with OAAIS or other campus groups to provide encryption services?
    Last Updated 2009/07/08
    1. Yes. The goal of this initiative is to ensure appropriate encryption of all mobile and high-risk devices used for University business within the School and safeguard against any loss of sensitive information.
    2. ISU, as the School of Medicine IT Security Control Point, will lead the initiative. However, to do this ISU will:
       1. Leverage existing expertise and infrastructure within OAAIS Enterprise Information Security, UCSF Medical Center IT, the UCSF Privacy Office, and partner SOM IT groups to assure a successful, cost-effective project.
       2. Establish campus-wide best practices for securing devices with encryption with OAAIS, UCSF Medical Center, and partner SOM IT groups.
12. Can a department decide not to encrypt this year, given the budget constraints?
    Last Updated 2009/07/08
    1. No. However, due to budget constraints the Dean has agreed to fund the first year software costs, but departments will have to implement it by using their own internal resources or have ISU provide the services on a recharge basis.

Project Scope

13. Is this project for all SOM departments, or just for Clinical Science departments?
    Last Updated 2009/07/08
    1. Our project focuses on high-risk computer systems within the School including clinical science departments, basic science departments, organized research units, and interdisciplinary centers. The initial phase of the project focuses on laptops.
14. What computers are included?
    Last Updated 2009/07/08
    1. All laptops and high-risk desktops that are University-owned within the School of Medicine and meet the minimum requirements for Check Point FDE
       1. University owned: All computers purchased using University funds, even those used at home.
       2. High risk: Any system that regularly works with sensitive information (see Q1). Any system with data that if compromised could result in severe legal and financial implications to the School of Medicine and/or to the individual if not secured via encryption. Not all high-risk systems are in-scope for this project.
15. Does this project scope include both laptop computers and desktop computers?
    Last Updated 2009/07/08
    1. All laptops are considered high-risk.
    2. Desktop computers may be high-risk and will be reviewed on a case by case basis.
16. Will servers be included this year?
    Last Updated 2009/07/08
    1. Servers will not be inclued in this phase of the project.

SOM Encryption Service

17. What is the SOM encryption project?
    Last Updated 2009/07/08
    1. A phased project to encrypt all systems within the School of Medicine that store PHI and sensitive data led by ISU and coordinated with multiple IT partners. The FY 09-10 phase targets the highest risk computers.
18. What software will be used for the SOM Encryption Project?
    Last Updated 2009/07/08
    1. Check Point Full Disk Encryption (FDE) software
    2. Successfully implemented at UCSF's Medical Center and OAAIS, Check Point's FDE
       1. ensures interoperability between SOM and the rest of UCSF.
       2. allows SOM to leverage existing encryption expertise and infrastructure at UCSF.
       3. meets HIPAA security requirements.
       4. Provides our customers with a supportable, maintainable, and well-documented encryption solution.
19. What are the project costs?
    Last Updated 2009/07/08

    1. 	DO Cost	Department Cost
       Check Point FDE License	$100/device (FY 09-10 only)
       Annual Maintenance fee		$50/device
       Installation		$260/device* (ISU estimated)
       Quality Assurance Assessment		TBD

    2. The Dean is paying for the one time encryption software license costs (approximately $100 per device) for FY 09-10.
    3. The Dean is not covering costs associated with:
       1. The installation of the encryption software,
       2. The recurring annual software maintenance cost of about $50 per device (FY 10-11 and thereafter),
       3. Or the costs associated with a quality assurance assessment (see below).
    4. As of FY10-11 all licensing & maintenance costs are covered by the Network Recharge.
20. What will the cost be for ongoing annual maintenance, and who will be paying for it?
    Last Updated 2009/07/08
    1. Currently OAAIS charges about $50 per device per year for the software and operations maintenance. Departments are responsible for this expense and will incur the expense starting in FY 10-11.
    2. ISU is working with OAAIS to reduce these costs by pooling all related costs across UCSF.
    3. As of FY10-11 all licensing & maintenance costs are covered by the Network Recharge.
21. The estimate is $260 per computer. How did you arrive at that estimate?
    Last Updated 2009/07/08
    1. $260 includes labor charges associated with:
       1. Labor: Estimated 3.5 hours of effort to complete the following:
          1. Retrieve device from customer
          2. Defragment hard drive (HD)
          3. A full disk “ChkDsk” will be performed on HD (failure requires HD replacement)
          4. Remove pre-existing encryption (if needed – may add additional time)
          5. Backup user profile (for specific file restoration)
          6. Backup image of entire HD (in case HD fails during the encryption process)
          7. Install and configure Check Point FDE software
          8. Commence encryption process
          9. Move backup data to network storage
          10. Deliver device to customer
    2. Provided for budgeting/planning purposes only, the $260 is an estimate. Actual costs may be higher or lower and will reflect actual work performed, along with any required hardware replacements/upgrades.
22. What are the options for fulfilling the requirement of having encryption on laptops and high-risk desktops?
    Last Updated 2009/07/08
    1. ISU will coordinate with Departments and SOM Partner IT groups to determine how best to implement Encryption.
       1. Departments can choose to have ISU manage the entire encryption process.
       2. Departments can encrypt all their systems internally using their own IT Staff and resources. If departments perform their own encryption, ISU will provide guidance, including standard operating procedures, to support project success. ISU will need to provide quality assurance assessment to verify the department’s IT staff has completed the task as per guidelines and is audit-worthy. This work, although expected to be nominal will be recharged to each department.
23. What is the project approach?
    Last Updated 2009/07/08
    1. SOM ISU provides project leadership:
       1. Project Management
       2. Resources on a recharge basis for departments who opt-in on ISU doing the work
       3. QA assessment to ensure the implementation is audit-worthy.
    2. OAAIS will provide:
       1. existing server infrastructure
       2. training and installation support for encryption software
    3. SOM ISU will supplement this with:
       1. Standard Operating Procedures for encryption best practices and to position departments well for audit for encryption
       2. Provide department IT groups with access to the asset management system to capture laptop inventory
24. What is the project timeline?
    Last Updated 2009/07/08
    1. The project schedule spans the entire FY 09-10 fiscal year. ISU will work with departments to devise a schedule that meets their needs and try to accomplish the tasks as soon as possible. Departments may be prioritized based on risk

Quality Assurance Assessment

25. Why is it necessary for ISU to perform a QA assessment, and why do we have to pay for it?
    Last Updated 2009/07/08
    1. ISU is SOM’s Security Control Point. Our role includes verifying that Departments within the School have followed standard operating procedures such as inventory management, encryption logs verification, etc. This is to ensure the work completed by each department is audit-worthy.
    2. To do this, ISU will conduct a QA assessment of areas that the UCSF Audit Office typically checks. We expect the QA assessment to be brief, provided that SOPs are followed.
    3. The original budget request for this project included a request for a Security Analyst for the QA assessment funding. The Dean has agreed to pay for the FY 09-10 licensing for the Check Point FDE software. The implementation has to be recharged to departments, including the QA assessment.
26. Can you please explain what the QA assessment would consist of?
    Last Updated 2009/07/08
    1. A QA checklist will be developed by the PM and communicated as soon as it’s available.
27. How can we guarantee compliance is continued after this project is completed?
    Last Updated 2009/07/08
    1. The implementation of standard operating procedures will support compliance on an ongoing basis. Any violations will be picked up during routine audits by the UCSF Audit & Management Services team.

Technical Specifications

28. What platforms will the Encryption software run on?
    Last Updated 2009/07/08

    1. Windows	Macintosh
       Windows 2000 (32bit), Windows XP (32bit), Windows XP Tablet (32bit), Windows Vista (32bit)	Mac OS 10.4.11 and Mac OS 10.5.0 being fully supported. ***Only Intel based. Intel Mac Mini’s are slated to be officially supported in Q3. List of affected Apple systems

29. Can we use Apple’s File Vault for encrypting our Macintosh laptops and desktops?
    Last Updated 2009/07/08
    1. No, File Vault does not support UCSF’s standard of full disk encryption
    2. File Vault only encrypts each user’s Home Profile, and leaving the rest of the hard drive unencrypted. File Vault is profile specific, requiring encrypting every new user’s home folder.
30. Can we use Microsoft’s EFS to encrypt our Windows laptops and desktop?
    Last Updated 2009/07/08
    1. No, the SOM Encryption Standard is full disk encryption. EFS presents similar shortcomings as File Vault, please refer to the previous question.
31. Can we use other encryption products, such as TrueCrypt?
    Last Updated 2009/07/08
    1. No. Most of these other products do not scale well in an enterprise environment and do not support a centralized management system where encryption status can be verified in a log file. In addition, some products do not meet all of our encryption needs. For example, TrueCrypt does not support full disk encryption on Macintosh boot volumes.
32. What are the Minimum System Requirements:
    Last Updated 2009/07/08

    1. Check Point FDE Encryption Minimum Requirements
       Operating System	Memory	Disk Space	Does not support
       Windows Vista (32bit)	512 MB RAM	100 MB, of which 2 MB must be contiguous, free space. Less than 80% full	- Stripe/Volume sets - Dynamic/Hidden Volumes - Dual Boot OS
       Windows XP (32bit)	128 MB RAM	100 MB, of which 2 MB must be contiguous, free space. Less than 80% full	- Stripe/Volume sets - Dynamic/Hidden Volumes - Dual Boot OS
       Windows 2000 (32bit)	64 MB RAM	100 MB, of which 2 MB must be contiguous, free space. Less than 80% full	- Stripe/Volume sets - Dynamic/Hidden Volumes - Dual Boot OS
       Windows XP Tablet Edition (32bit)	128 MB RAM	100 MB, of which 2 MB must be contiguous, free space. Less than 80% full	- Stripe/Volume sets - Dynamic/Hidden Volumes - Dual Boot OS
       Macintosh X 10.4.11, 10.5.0		50MB free disk Space	PowerPC Processor, Mac Mini’s, older iMacs (List of affected Apple systems)

33. Do SOM recommended requirements differ from Check Point minimum requirements?
    Last Updated 2009/07/08
    1. SOM highly recommends that the base requirements for Windows laptops be a Pentium 4 or Pentium –M processor, and 1GB of RAM. Please see question below for risks involved with using older systems.
34. If my laptop does not meet the minimum recommended requirement, can I upgrade it or will I need to purchase a new computer?
    Last Updated 2009/08/03
    1. Upgrading an existing laptop to meet the requirements may be an option for you; however we suggest you consider the following issues when making your decision:
    2. Computers older than 3-4 years become increasingly more costly to maintain over time, are more likely to fail, and often perform inadequately as technology standards and software packages changes. If your laptop is older than 2 years, the expense associated with upgrading it to meet the minimum system requirements for encryption may not be cost effective.
    3. Upgrading a laptop hard drive frequently requires many hours of technician time to physically replace the existing hard drive and transfer your operating system, applications and data files. If you pay hourly charges for this work, it may make more sense to apply this expense (e.g. $200-$500) towards the purchase of a new computer with the encryption standard already installed.
    4. Upgrading memory (to at least 1 GB) in a laptop less than 2-3 years old that meets all the other system requirements may be a cost effective approach. The cost of 1 GB of memory is generally under $100 and most recent laptops are designed to support easy memory upgrades. However, there is a risk with upgrading memory that the new memory will be faulty, and troubleshooting memory problems (intermittent or non-reproducible crashes) can be frustrating, time consuming and expensive.
    5. Upgrading the CPU (processor) in a laptop is often not-supported or could involve replacing the entire motherboard. We do not recommend upgrading laptops that fail to meet the minimum CPU requirements for the encryption standard.
35. What are the restrictions regarding systems older than 3 years?
    Last Updated 2009/07/08
    1. PowerPC-based Macintoshes are NOT supported by Check Point Full Disk Encryption.
    2. Older drives are more likely to fail during the encryption process; encryption is a processor intensive task and will require more time (increasing cost) to complete on older systems; the likelihood that hardware will need to be replaced because of failure increases with age; will spend more time identifying and repairing faulty equipment than actually encrypting.
    3. Older computers may lack processing power and show a degradation of performance.
36. Can Check Point FDE be installed on a computer that is not joined to the Active Directory domain?
    Last Updated 2009/07/08
    1. Yes. However, for the SOM implementation of Check Point FDE, we require that the computer be bound in order to report encryption status back to the centralized management system.
37. Will all computers be backed up as part of the encryption process
    Last Updated 2009/07/08
    1. Yes. The SOM ISU SOP for installing encryption includes making a complete backup of all local data (using Ghost).
38. Who will have access to the management console which allows password resets, etc.?
    Last Updated 2009/07/08
    1. Department CSCs, ISU, and OAAIS EIS (Enterprise Information Security.)
39. Will departmental IT groups have the ability to perform remote unlocks?
    Last Updated 2009/07/08
    1. Department CSCs will have the ability to unlock the encrypted laptops that they support via the console.
40. Will EIS and/or SOM ISU require specific administrative rights either to the software or the machine?
    Last Updated 2009/07/08
    1. No. Only the I.T. department that performs the Encryption will need to have admin rights on the computer.
41. How do we encrypt handheld devices?
    Last Updated 2009/07/08
    1. Blackberry – devices connecting to SOM Exchange through the BES server are encrypted by default. Each device in the departments should be verified by the CSC.
    2. iPhone – available only on the latest 3GS models (evaluation in progress).
42. How can we assure that all new computer deployments are compliant?
    Last Updated 2009/07/08
    1. We encourage departments to develop purchasing SOPs that require new computer purchases to be entered into the SOM asset management system and have encryption installed on systems considered to be high-risk. This will be part of the SOP provided by ISU as guidelines
43. Will there be a standard for labeling computers that have been encrypted?
    Last Updated 2009/07/08
    1. No.
44. How will we recycle licenses when machines leave UCSF or are retired?
    Last Updated 2009/07/08
    1. Procedure is under development.
45. Will SOM ISU develop educational materials for different user populations?
    Last Updated 2009/07/08
    1. SOM ISU is developing SOPs for installing encryption and working with EIS for training materials. The SOM implementation of Check Point FDE provides a user experience where encryption is essentially transparent to the end user, therefore requiring minimal user training.
46. What is the waiver process for exempting a laptop/tablet from using encryption software?
    Last Updated 2009/07/08
    1. Procedure is under development