When must Highly Sensitive Data (HSD) be protected by encryption? HSD must be protected by encryption: In transport – when being moved from one place to another: Over the internet On removable media In an encrypted file in an otherwise non-encrypted transport (e.g. mail) At rest – when being stored on: Office computers and laptops Removable media A server that has not been approved by the IT Security Office as having sufficient mitigating controls in place Last modified: September 7, 2018