Mobile Device Security FAQ

Small devices intended primarily for the access to or processing of data, which can be easily carried by a single person and provide persistent storage. New products with these characteristics appear frequently. Current examples include, but are not limited to, the following types of products:

All mobile computing devices that store Green River College Data must be fully encrypted, regardless of ownership. For example, smartphones and tablets store Green River College Data when they are configured to access GRC email. This means that personally owned laptops, smartphones and tablets used for college business must be encrypted.

There are two exceptions included in the Mobile Computing and Storage Devices Standard that have a very limited scope:

Specific uses where no sensitive data will be stored and encryption would interfere with the device’s intended use. Devices used in this way must be clearly marked as not for use with Restricted Data.

This exception is intended only for situations such as SD cards used in digital cameras or bootable USB drives used to install operating systems. This does not include situations in which encryption is inconvenient or adds undesired complexity.

Specific uses in which devices are used for marketing and public relations, no Restricted Data will be stored, and the intended recipient is not a member of the GRC Community. Devices used in this way must be clearly marked as not for use with sensitive data.

This exception is limited to marketing activities such as if prospective students are provided publicly available materials in an electronic form, or when team rosters are submitted to organizers of athletic events.

My smartphone or tablet does not support encryption that is compliant with GRC’s requirements. What can I do?

The encryption and passcode requirements apply to any device used to store college data. If your device cannot comply, then you need to be certain that you do not use it to access or store college data. Next time you go to purchase a smartphone or tablet, be sure to choose a model that can meet GRC’s requirements. Check the instructions for encrypting the different phone models to help find a compliant phone model. Portable computers that are not capable of using a supported and GRC-standards compliant encryption method may use another form of whole disk encryption. There are very specific requirements that must be followed.

This depends on the encryption method used. Please see the instructions for your particular computer. If you need assistance, please contact the GRC IT helpdesk.

GRC requires that portable storage devices such as flash drives and portable hard drives be fully encrypted. GRC has tested and recommends the Kingston Data Traveler Vault Privacy USB drive. There are very limited exceptions to this requirement, see Exceptions for encrypting portable storage devices for more information.

Would emails I send out from my encrypted laptop be encrypted? If so, how would other users read my mail?

Encrypting your laptop’s hard drive or device’s storage only affects the data as stored on the device. This prevents someone who obtains your device without your password from being able to read the files directly from the hard drive. Individual files and emails are not encrypted, rather it is the complete disk. Files copied off the device, or emails that are sent from the device will not be encrypted, and thus need to be protected. You should manually encrypt any emails that contain sensitive data.

In most cases there should be no problem traveling with typical consumer encryption products, but there are restrictions based on the country and the type of technology. Please verify that you are compliant with the laws of your country of destination before you travel.
Please refer to Initiating International Business Travel for more information and links to request an export control review.

Gator Alert