Protection of Confidential Information on Workstations and Laptops


This policy defines a set of security controls (software and hardware measures) which represent contemporary best practices for securing staff laptops and workstations. In addition, these measures assist in bringing Brandeis University in compliance with Massachusetts State law pertaining to the Protection of Personal Information[1].


This policy applies to all members of the Brandeis community and all workstations and laptops owned by Brandeis University. In addition, it applies to any personally owned workstations or laptops that store University information considered Personally Identifiable Information (PII) or meets the broader definition of confidential, e.g. salary information.

This policy does not apply to servers, laboratory equipment and appliances, or dedicated research computing equipment, unless required by the IRB. However, when such equipment stores or processes Personally Identifiable Information, the Brandeis Security Office must be consulted so that adequate security protections can be identified and implemented.


This policy is guided by the following principles:

  1. Adhere to the legal obligations incumbent on Brandeis University
  2. To tie security requirements to risk
  3. Respect our community: all members of the Brandeis community who have access to confidential information have a community obligation to protect this information and the privacy of the individuals it represents


This policy was written with the understanding that due to hardware and software limitations, some devices will require unique tactics to achieve compliance. If you think there are technical barriers to following best practices with your equipment, please complete an exemption request form. (

Standard for the Protection of Confidential Information


  1. All University-owned workstations and laptops that store Personally Identifiable Information (PII) will have their storage media fully encrypted[2].
  2. In addition, any encrypted devices must require a strong password or passphrase to be accessed.


Any University owned workstation or laptop that falls under the foregoing encryption requirement must have all PII backed up remotely on encrypted media or to a University-licensed cloud service.



  1. All University-owned workstations and laptops must have one or more approved antivirus/anti-malware software programs installed.
  2. The University Information Security Office is charged with both providing and approving the programs used to meet this requirement. Any individuals who do not wish to use the provided software should request an exemption to use a different software program(s).

Personally Identifiable Information Protection

All systems that house certain types of restricted PII are subject to the Massachusetts Protection of Personal Information regulations (Mass 201) and/or other applicable data breach notification laws.  University workstations and laptops, regardless of the category of data maintained, must be scanned appropriately to identify PII, using University-approved scanning procedures. Users of University systems must review the results of required scanning to facilitate proper handling of any PII identified. The University Information Security Office is charged with maintaining and approving PII identification tools.

Incident Response and Management

In order to ensure compliance with University policy, as well as with State and Federal data breach regulations, all lost or stolen workstations or laptops must be reported to the Information Security Office immediately upon discovery of the theft or loss so as to attempt recovery and data breach analysis.


Individuals are personally responsible for the consequences of a data breach resulting from non-compliance with this policy and will be handled in accordance with the University's corrective action procedures.


Personally Identifiable Information (PII)

PII is generically defined as information that can be used to uniquely identify an individual. The definition of PII differs from one regulation to another. Brandeis follows and will enact Mass. 201 which defines PII as a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account. Other regulatory regimes typically provide their own definition of PII. However the Mass. 201 definition is the one used by this policy.

Encryption / Full Disk Encryption (FDE)

FDE is a technology that encrypts (encodes) an entire drive such that a special passcode or key is required to access (from the filesystem) any information stored on the drive. Without the key, the information is meaningless. Encryption keys should be at least 256 bits in length.

Massachusetts 201 CR17.0 or Standards for the Protection of Personal Information of Residents of the Commonwealth (Mass. 201)

Mass 201 is the primary regulation protecting personal information within Massachusetts.

University-owned workstation or laptop

Personal computers, owned by Brandeis University, intended for general purpose use by faculty and staff of Brandeis University. Workstations are colloquially called desktop computers to distinguish them from servers or dedicated computing appliances. This expressly includes equipment funded by grants. Other devices, such as phones or tablets, will be addressed in a separate policy.

Antivirus or anti-malware

A general class of software designed to identify common forms of computer viruses, Trojans, worms, and other forms of malicious software. Anti-malware is a term that is gaining currency to describe the broader range of functionality and threats prevented or detected.

Strong Password or Passphrase

A strong password is one that meets our University standard for password formation. Both strong passwords and passphrases are defined in the technology memo at

Members of the Brandeis Community

All faculty, staff, students, contractors, visiting scholars and fellows who connect to the Brandeis network and/or access or store data owned by Brandeis University or data for which Brandeis University is responsible party.

[1] Mass 201 CMR 17.00 See specifically 17.04(5).

[2] Note that by default, University owned laptops and workstations provided by ITS will be encrypted.