University of Minnesota  Appendix

Encryption Standard

Sidebar

Expand all

Sidebar

Table of Contents

TOC placeholder

Governing Policy

Questions?

Please use the contact section in the governing policy.

Objective

Use data encryption to prevent unauthorized access to University information stored on IT resources, especially if a device is lost or stolen. Transmission encryption is also required on the transfer of University data classified as private-restricted or private-highly restricted to ensure that it does not traverse the University network in clear text. Legal or regulatory requirements may require additional controls that exceed those included in this standard.

Security Controls

The following table defines the baseline security controls for managing encryption.

Control Security Level
ID Description High Medium Low
E.A.01 Periodically review, and update cryptographic key management plan and procedures (suggest: annual) Required Required Recommended
E.A.02 Document the implementation details of all algorithms, protocols, and keys used for the protection of data, including key strength and expiry date Required Required Recommended
E.A.03 Periodically review, and update the process for recovery of encrypted data in the case of lost, compromised, or damaged keys Required Required Recommended
E.A.04 Store key-encrypting keys and data-encrypting keys in different locations Required Required Required
E.A.05 Create key-encrypting keys that are at least as strong as the data encrypting keys they protect Required Required Required
E.A.06 Store encrypted keys (e.g., perpetual) in encrypted format or in a secure location (e.g., encrypted removable media stored in a continuously locked facility) Required Required Recommended
E.A.07 Use encryption technologies that meet NIST FIPS minimum requirements1 Required Required Recommended
E.A.08 Change the encryption key from the default setting during installation Required Required Required
E.A.09 Restrict access to the key to a minimum number of individuals Required Required Recommended
E.A.10 Change encryption keys when someone with access to the key changes job responsibilities or terminates employment, or the key is compromised Required Required Required

1Encryption of health information, HIPAA or ePHI data requires a FIPS140-2 certified application.

Resources Covered

This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .

Individuals Covered

This standard applies to University community members who use or manage University IT resources.

Related Information

Published Date

July 2019