Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
Use data encryption to prevent unauthorized access to University information stored on IT resources, especially if a device is lost or stolen. Transmission encryption is also required on the transfer of University data classified as private-restricted or private-highly restricted to ensure that it does not traverse the University network in clear text. Legal or regulatory requirements may require additional controls that exceed those included in this standard.
Security Controls
The following table defines the baseline security controls for managing encryption.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| E.A.01 | Periodically review, and update cryptographic key management plan and procedures (suggest: annual) | Required | Required | Recommended |
| E.A.02 | Document the implementation details of all algorithms, protocols, and keys used for the protection of data, including key strength and expiry date | Required | Required | Recommended |
| E.A.03 | Periodically review, and update the process for recovery of encrypted data in the case of lost, compromised, or damaged keys | Required | Required | Recommended |
| E.A.04 | Store key-encrypting keys and data-encrypting keys in different locations | Required | Required | Required |
| E.A.05 | Create key-encrypting keys that are at least as strong as the data encrypting keys they protect | Required | Required | Required |
| E.A.06 | Store encrypted keys (e.g., perpetual) in encrypted format or in a secure location (e.g., encrypted removable media stored in a continuously locked facility) | Required | Required | Recommended |
| E.A.07 | Use encryption technologies that meet NIST FIPS minimum requirements1 | Required | Required | Recommended |
| E.A.08 | Change the encryption key from the default setting during installation | Required | Required | Required |
| E.A.09 | Restrict access to the key to a minimum number of individuals | Required | Required | Recommended |
| E.A.10 | Change encryption keys when someone with access to the key changes job responsibilities or terminates employment, or the key is compromised | Required | Required | Required |
1Encryption of health information, HIPAA or ePHI data requires a FIPS140-2 certified application.
Resources Covered
This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .
Individuals Covered
This standard applies to University community members who use or manage University IT resources.
Related Information
- More information for Encryption
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to encryption.
Published Date
July 2019