Document the physical location of removable media, along with the label information (specified above) for tracking and future reference.
cabinets, lock boxes, etc.) where access is limited to users on a need-to-know basis.
post-it note with the password next to the encrypted USB drive) Do NOT write down the password and store it at the same location as the storage media (e.g.call the person to verbally communicate the password. Where passwords need to be shared with other users, ensure that passwords are sent separately from the encrypted file.Use a secure password management tool (see Additional Resources) to store sensitive information such as passwords and recovery keys.Do NOT use the same password from other systems. When creating a password, follow strong password requirements as defined in MSSND Control #5.For more information, refer to NIST's Guide to Storage Encryption Technologies For End User Devices Whenever possible, use AES (Advanced Encryption Standard) for the encryption algorithm because of its strength and speed.Use compliant encryption algorithms and tools.Develop and test an appropriate Data Recovery Plan (see Additional Resources).Mobile devices include laptops and smartphones. Removable media and mobile devices must be properly encrypted following the guidelines below when used to store covered data. Malicious users may gain unauthorized physical or logical access to a device, transfer information from the device to an attacker’s system, and perform other actions that jeopardize the confidentiality of the information on a device.
RequirementĪnyone storing covered data on portable devices (such as laptops and smartphones) or removable and easily transported storage media (such as USB drives or CDs/DVDs) must use industry-accepted encryption technologies.
The recommendations below are provided as optional guidance to assist with achieving the Data Encryption on Removable Media requirement. UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.