What is a method of sending information from one device to another using removable media?
UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving the Data Encryption on Removable Media
requirement. Anyone storing covered data on portable devices (such as laptops and smartphones) or removable and easily transported storage media (such as USB drives or CDs/DVDs) must use industry-accepted encryption technologies. Malicious users may gain unauthorized physical or logical access to a device, transfer information from the device to an attacker’s system, and perform
other actions that jeopardize the confidentiality of the information on a device. Removable media and mobile devices must be properly encrypted following the guidelines below when used to store covered data. Mobile devices include laptops and smartphones. The various tools for encrypting data can be divided into 3 broad categories: 1) Self Encrypting USB Drives, 2) Media Encryption Software, 3) File Encryption Software. Self Encrypting USB Drives are portable USB drives that embed
encryption algorithms within the hard drive, thus eliminating the need to install any encryption software. The limitation of such devices is that the files are only encrypted when residing on the encrypted USB drive, which means files copied from the USB drive to be sent over email or other file sharing options will not protected. These USB drives are also typically more expensive than non-encrypting USB drives. Full Disk Encryption Software is software that is used to encrypt otherwise unprotected storage media such as CDs, DVDs, USB drives or laptop hard drives. The flexibility of this software allows protection to be applied to a greater selection of storage media. However, the same limitation on collaboration applies to media encryption software as it does to Self Encrypting USB Drives. File Encryption Software allows greater flexibility in applying encryption to specific files. When using File Encryption Software properly, resource proprietors can share encrypted files over email or other file sharing mechanisms while maintaining protection. To share encrypted files, ensure that passwords are shared securely following recommendation 4.a above.
|
Tool Category | Tool Options | Best For |
---|---|---|
Self-Encrypting USB Drives |
|
|
Full Disk Encryption Software |
|
|
File Encryption Software |
|
|
The tools listed generally support modern operating systems such as Microsoft Windows, Mac OS X and Linux. Please consult vendor websites for specific system requirements.
Non-Compliant Encryption Tools
Many software applications provide password protections features that only provide a veil of security which is trivial to defeat. Software which does not meet encryption standards includes:
- Adobe Acrobat prior to version 10.0 (a.k.a. version X)
- Microsoft Office application prior to 2010
- Winzip prior to version 9
In addition to following the provided recommendations, use tools mentioned in the Compliant Tools section whenever possible. If you are uncertain about an encryption tool, please contact for consultation.
Additional Resources
Data Recovery Plan
If removable media is the sole copy of covered data, you should do the following to ensure covered data is securely backed-up to other devices.
- Covered data is backed-up to other removable media that adhere to the requirements set forth in this document or
- Covered data is backed-up to UCBackup with encryption
Password Management Tool
A password management tool is a solution that allows use of a single complex master password to protect all your other passwords and credentials in a central location. It also reduces the need for users to remember all the username and password permutations used for various application and web services.
While convenient, the breadth of access provided by a password management tool requires heightened security to protect the password management database. Here are some recommendations on how to prevent your password management database from falling into the wrong hands:
Do NOT share the password management database on websites or file sharing services
Follow good password practices when creating the master password (meet MSSND #5 requirements AND be at least 10 characters long)
Regularly backup the password management database file to prevent being locked out of all your passwords.
Enable Multi-Factor Authentication (MFA) if the password management tool supports it.. The following MFA options should be favored over any SMS-based (text message) or phone-based MFA options as those are more susceptible to being bypassed.
Time-based OTP apps like Google Authenticator, Authy, or Duo
Physical U2F security key such as YubiKey
An example of password management tool is LastPass(link is external), which is available for free on Windows, Linux and Mac OS X operating systems.