It is always a good idea to encrypt your data, and with modern computing devices, enabling full disk encryption is usually a very simple process. However, in other cases, encrypting data can be costly and may require considerable effort. While we strongly recommend that you always encrypt your data, the choice to do so often comes down to whether encryption is required or not. To answer this question, encryption is required in the following cases:
If you are working with regulated data where the encryption is required either by law or by IU policy, such as PHI
If the data you are working with is subject to a contract, data use agreement, IRB approval, etc that requires encryption
If you are working with institutional data that is classified as critical data
In certain, very limited cases, encryption may not be possible on a system, in which case other mitigating controls must be in place to ensure the data is protected. In cases such as this, the system and the mitigating controls in place must be approved by the relevant parties. Depending on the circumstance, the relevant parties could include the Office of Research Compliance (ORC), Institutional Review Board (IRB), University Information Policy Office (UIPO), or the Data Stewards. If you would like assistance reviewing your use of encryption, or assessing compensating controls, please contact us at securemyresearch@iu.edu
Directions
For instructions on encrypting your data, use the related articles and search function below for instructions depending on what type of system you are using.
Email securemyresearch@iu.edu if you have other questions about cybersecurity or compliance relating to your research project.
Beware of this pitfall
A common misconception is that it is inherently secure to send data from your workstation to another system simply because your system has full disk encryption enabled. In truth, when a file is sent in this scenario the file is unencrypted prior to being sent. This means that the unencrpyted file is being transmitted and arrives unencrpyted at the recipients end. Even in the case that you use an encrypted channel such as https, this only ensures that the transmission of the file is encrypted. The end result is the same and the file that is received will be the unencrypted version of the file you sent. To ensure that the data you are sending arrives as an encrypted file, you must encrypt that file using file-level encryption prior to sending it.
We want your feedback
Please email securemyresearch@iu.edu to report errors/omissions and send critiques, suggestions for improvements, new use cases/recipes, or any other positive or negative feedback you might have. It will be your contribution to the Cookbook and appreciated by all who use it.