IT Data Security Policy - Laptop Disk Encryption
Purpose
Laptops can contain confidential information or sensitive company and employee information. This document is intended to outline the company requirements for protecting this information from loss to avoid an adverse impact to the company, our employees, and our customers. This document defines requirements for disk encryption protection.
Scope
This policy applies to all company laptops.
Policy
- All devices in scope will have disk encryption enabled.
- All employees, contractors, and anyone assigned a company issued laptop must immediately notify IT if a device is lost or stolen.
- The company encryption policy must be managed and compliance validated by IT and the encryption management system. Laptops must report compliance to the encryption management system, and reports must be sent to IT for regular review to ensure compliance.
- Security related events will be logged and audited by the IT staff to identify any inappropriate access or malicious use.
- The IT staff will be permitted to issue an out-of-band challenge/response to allow access to a system in the event of failure, lost credentials or other business blocking requirements.
Technical Guidelines
- Sophos Endpoint Security and Encryption is the standard product used by the company.
- BIOS will be configured with a secure password that is stored by IT. The boot order will be fixed to the encrypted disk. If an override is required by a user for maintenance or emergency use, IT can authenticate the user and the provide the BIOS password.
- Strong, industry best practice defined cryptographic standards must be employed.