Appendix B: Data Encryption Computing Hardware Compliance Recommendations

While a number of departments have already implemented data encryption, we recommend that these departments ensure that their choice of encryption solution maintains the following standards:

  • Enterprise level WDE encryption product that meets and addresses legislative requirements;
  • Support for complex passwords;
    • At a minimum must enforce the 8 character, upper case letters, lower case letters, numbers and symbols password complexity requirements for FIPPA;
    • Ideally supports entropy levels, to allow passphrases that have equivalent entropy to the FIPPA requirements but are easier to remember;
    • Strong–High performance with 256-bit AES encryption;
    • Centralized security policy and Key management/escrow;
    • Centralized password recovery: creates, distributes, and stores encryption keys while maintaining the organization’s ability to recover data;
    • Centralized Reporting and logging that provides visibility into the current state of data protection to provide oversight on all the Laptops that have been lost or stolen i.e. we know of the last time the lost or stolen laptop was on the network and whether it was encrypted or not;
    • CC EAL 4+ certification and FIPS 140-2 validated;
    • Laptops must be configured to hibernate upon lid closure;
    • Standby/sleep must be disabled; users must be trained to use hibernation or power down when not using the laptop;
    • Screensaver idle system locking must ben enabled and set for no more than 30 minutes, 15 minutes is recommended;
    • Complex password protection to enforce device lockdown after a specified number of invalid attempts.