Information Technology Standard 02.5.0

Encryption Usage and Key Escrow Standard


Date of Current Revision or Creation:ÌýJanuary 1, 2022


The purpose of an Information Technology Standard is to specify requirements for compliance with ±¬ÁÏ¹Ï Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to establish guidelines for the use of encryption to secure University information in transit on a network or stored on any form of media.

Definitions

Encryption: Encrypting or scrambling data to assure confidentiality and integrity.

In Transit: Data being moved from one location to another.

At Rest: Data stored in a location

ITS is the acronym for the official name of Information Technology Services.

Escrowing: Storing and managing key and/or certificates in a system to protect against lost or stolen keys or certificates.

Proven Standardized Algorithms are ciphers or methods of encryption that are either selected as official methods for the Federal Information Processing Standard or methods that have experienced intense scrutiny and have widespread use.

User includes anyone who accesses and uses the ±¬ÁÏ¹Ï information technology resources.

Standards Statement

Encryption Usage

Only industry standard algorithms and methods will be used as the basis for encryption technology. Accepted methods are available from ITS upon request.

Public and private key sizes and algorithms must meet the current best practices for industry standard encryption. Hashing algorithms for digital signatures or password obfuscation with weaknesses such as MD5 and SHA1 should not be used.

IT Security will follow a documented response procedure for when keys are compromised.

±¬ÁÏ¹Ï must have a secure key management process for the administration and distribution of encryption keys.

±¬ÁÏ¹Ï must generate all encryption keys through an approved encryption package and securely store the keys in the event of key loss due to unexpected circumstances.

Encryption must be used during transmission of sensitive data commensurate with sensitivity and risk.

Encryption should be used for all transmission of data when possible.

Key and Certificate Management

  1. In Transit Encryption

    1. Keys and Certificates for in transit Encryption should be protected from incidental release and not transmitted through insecure methods.

    2. These keys must be changed if they are compromised.

  2. At Rest Encryption

    1. Escrowing keys and certificates are essential for disaster recovery and business continuity. Keys and certificates for critical business services must be escrowed with ITS Security. This includes any keys used by systems or users to protect documents or data.

  3. Personal Encryption

    1. Keys used as personal credentials must be escrowed by the user.

    2. Keys used for personal at rest encryption must be escrowed by ITS Security or through an approved system.

Encryption Outside of the United States

Users must comply with Federal law regarding the development and use of encryption outside of the United States.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
October 2008 ITAC/CIO Created
October 2010 ITAC/CIO Reaffirmed
October 2011 ITAC/CIO Reaffirmed
March 2014 IT Policy Office Minor rewording for clarity
Number revision and departmental name change
May 2018 IT Policy Office Reviewed; definitions and links updated
January 2022 IT Policy Office Reviewed and updated links; minor wording changes
Ìý