5345.2 CRYPTOGRAPHY
(New 03/08)
Encryption, or equally effective measures, is required for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). This policy does not apply to mainframe and server tapes.
For the purpose of this policy, the terms "confidential information" and "sensitive information" are defined in SAM Sections 5320.5, and, "personal information" is defined in three categories as follows:
- Notice-triggering information (Civil Code Section 1798.29).
- Protected health information (45 C.F.R. Section 160.103).
- Electronic health information (45 C.F.R. Section 160.103).
Alternatives to encryption must be reviewed on a case-by-case basis and approved in writing by the agency ISO.
AUTHORITY STANDARDS GUIDANCE FORMS TOOLS
