Encryption Policy
| Effective Date | January 1, 2026 | Policy Owner | Information Technology Services (ITS) |
| Last Reviewed Date | January 1, 2026 | Approved By | VP for IT and CIO/CISO |
| Review Cycle | Annual | Policy Contact | Information Security & Compliance Analyst |
Policy Purpose
Encryption is the process of encoding information in order to protect the data, and can be applied to data that is stored (at-rest) or transmitted (in-transit) over networks. It reduces the risk of unauthorized access or disclosure, and may help mitigate financial, regulatory, reputational, and institutional risks to New York Tech related to loss or breach of unencrypted data.
Encryption is used in conjunction with other data protection controls, such as access control, strong passwords, authentication, and authorization.
Federal/state regulations and contractual agreements may require additional actions that exceed those included in this policy.
Policy Scope
This policy applies to all New York Tech campuses, and to all research, teaching and learning, clinical, and administrative data. It further applies to:
- All departments, schools, faculty, principal investigators, and staff that process, maintain, transmit, or store University Data classified as Confidential or Restricted on any university owned device, whether or not it is connected to the campus network and whether or not it is university or self-managed;
- Any storage media that has been used to store Confidential or Restricted data;
- Any third-party provider with a contractual relationship with the university that maintains the same data types.
Definitions
- Encryption: The process of transforming data so that it is unreadable by anyone who does not have the decryption key.
- University Data: Those data, regardless of format, maintained by New York Tech or a party acting on behalf of New York Tech. University Data (electronic and paper) includes information stored in any institutional database, file system, storage medium, or paper that contains information on past, current, or future students, employees, or donors/friends. All University Data, whether maintained in a central database, copied into other data/file systems, or printed onto paper, remain the property of New York Tech and are governed by this policy statement.
Policy Statement
Encrypting Data at Rest
Encryption at rest involves encrypting data when it is stored on a server or hard drive. There are two recognized methods for encrypting data-at-rest:
- Full disk Encryption, also called whole disk Encryption, encrypts the entire device or disk partitions at once. It provides good protection against data loss due to theft or other loss and requires less attention to how one handles files.
- File-Level Encryption encrypts individual files. There are two methods of file-level Encryption:
- The file is decrypted only when it is in use, typically the case with application-based Encryption.
- The file is not automatically re-encrypted when one is done viewing or editing it, as it the case with standalone Encryption utilities.
Encryption Requirements for Data-at-Rest by Location or Type of Device (Table 1)
| Location or Device Type | Confidential | Restricted | Public |
|---|---|---|---|
| Data Centers | Required | Required | Recommended |
| Machine Rooms | Required | Required | Recommended |
| Laptops (New York Tech owned) | Required | Required | Required |
| Desktops (New York Tech owned) | Required | Required | Required |
| Cloud Providers | Required | Required | Required |
| Personally Owned Devices | Not Permitted | Not Permitted | Recommended |
| Portable and Removable Storage Media | Not Permitted | Not Permitted | Recommended |
- Data Centers: Data stored on devices within New York Tech Data Centers is presumed to be protected from unauthorized access because of the physical security and physical access control provided within the data center.
- Portable and Removable Storage Media: Due to the risk of these devices being lost or stolen, portable media can only be used to store Public Data. Confidential or Restricted Data is prohibited from being stored on a portable and removable storage device.
- Personally Owned Devices: Personally owned devices have a similar risk to portable devices and media with respect to being lost or stolen. All personally owned devices that process, maintain, transmit, or store University Data must be in compliance with all applicable policies in addition to any specific Encryption requirements as identified in Table 1.
- Data Backups: All data stored on the New York Tech network file share is backed up regularly. Personal backups of New York Tech data on external hard drives and media, are not permitted whether or not the device is encrypted.
Encrypting Data-in-Transit (Table 2)
Malicious users may intercept or monitor unencrypted data when transmitted on untrusted networks, and gain unauthorized access that jeopardizes the confidentiality and integrity of sensitive institutional data.
| Transmission | Confidential | Restricted | Public |
|---|---|---|---|
| Data transmitted within: • Old Westbury campus • New York City campus • Vancouver campus • Jonesboro campus | Recommended | Recommended | Recommended |
| Data transmitted between New York Tech campuses | Required | Required | Recommended |
| Data transmitted externally | Required | Required | Recommended |
The following are examples of the most commonly employed technologies that provide encryption of data in transit.
- Virtual Private Network (VPN): Users traveling on university business or who need to access the New York Tech network and any sensitive university data from a non-university or public network must use the New York Tech VPN (Virtual Private Network) which meets this standard. It also permits access to applications or data that require an on-campus connection.
- Secure Web Traffic: HTTPS is a protocol that encrypts traffic between a web browser and a web-based application.
Related Internal Policies
- New York Tech Written Information Security Program
- Acceptable Use Policy
- Mobile Device Policy
- Data Security and Access Management Policy
Regulatory References
- Federal legislation
- HIPAA (Health Insurance Portability and Accountability Act)
- FRCP (Federal Rules of Civil Procedure – a.k.a. eDiscovery)
- USA Patriot Act
- FERPA (Family Educational Rights and Privacy Act)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Modernization Act)
- State Regulations:
- SHIELD Act (New York's Stop Hacks and Improve Electronic Data Security Act) and other state security regulations
- Associations
- PCI DSS (Payment Card Industry Data Security Standard)
- International
- GDPR (European Union's General Data Protection Regulation)
- PIPEDA (Canadian Personal Information Protection and Electronic Documents Act)
- PIPA (British Columbia's Personal Information Protection Act)
Violations
Violations of this Policy may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the New York Tech network that do not comply with this policy may be limited or disconnected.
In addition to New York Tech disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any New York Tech department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.