Home > Office Services Purchasing Team > Information Technology > Information Technology Policies
Information Technology Policies
Laptop/Device Encryption Policy
A policy memo requiring that laptops and mobile storage devices be purchased with an encryption solution was issued on April 22, 2009, by Robert Johnson, Associate Senior Vice President, Finance and Business Services, and Laura La Corte, Associate Senior Vice President, Compliance.
The memo makes clear that all laptops and mobile storage devices acquired on or after April 22, 2009, that are paid for using university funds and/or used for university business purposes must be purchased with an encryption solution. To be in compliance with this policy, laptops and mobile storage devices must be either a) delivered with built-in encryption (preferred) or b) accompanied by a software-based encryption solution for subsequent installation. Note that even if the instrument is encrypted, the best practice is to avoid storing any sensitive data on any laptop or mobile storage device.
The complete policy memo is posted below.
Purchase Orders with Contract Computer Suppliers
To facilitate compliance with this policy, USC's contract suppliers have agreed to sell only laptops and mobile storage devices with encryption solutions, when the instrument is paid on a university purchase order. A list of contract suppliers of laptops and mobile storage devices is posted on the following web page:
Purchases on Credit Cards with Contract and Non-Contract Computer Suppliers
Employees who purchase new laptops and mobile storage devices from a non-contracted vendor (e.g. Costco, Best Buy, Frys, etc.) or from a contract supplier using a credit card must provide proof that the instrument was purchased with an encryption solution. Proof should be provided as an attachment to a) a reimbursement request (if Travel Card or personal funds were used) or b) a Procurement Card receipt. Reimbursements will not be processed with out proof of encryption.
Use of Personal Laptops and Mobile Devices for Business
Employees who use personal laptops and mobile storage devices for business purposes must be in compliance with this policy.
Model and Encryption Options
Purchasing Services will no longer recommend specific secured models. Instead, departments can select the laptop and mobile storage device most appropriate for the business need, and subsequently make arrangements to ensure the laptop or mobile storage device is encrypted.
Regarding laptops, some models already come encrypted at no added cost. Other laptops will require the supplier to charge separately for the laptop to be encrypted. Yet other laptops will come with an encryption solution that must be installed by the department. All encryption solutions purchased separately from the laptop must be installed by the department before the laptop may be used.
Definition of Encryption and Important Points About Passwords
Having a password on a laptop or mobile storage device does not necessarily mean the instrument is encrypted. To be encrypted, the instrument must be installed with encryption software that codes (scrambles) information so that it can only be decoded and read by the person who has the correct decoding key (e.g. password). Hence, both a password and encryption software are needed in order for a laptop or mobile storage device to be considered fully encrypted.
Because a password is used to decode the information stored on an encrypted instrument, a password should be carefully crafted. Tips for choosing a best-practice password are provided below. It is also critical to memorize and/or store passwords in a safe location. If a password is forgotten/lost, the instrument's data will not be able to be decoded and will be lost.
Questions about information security should be directed to:
Information Security Office
Questions about purchasing encrypted laptops or storage devices should be directed to:
Jeannette Anderson, Buyer