Encryption Usage and Key Escrow Standard
Date of Current Revision or Creation:ÌýJanuary 1, 2022
The purpose of an Information Technology Standard is to specify requirements for compliance with ±¬ÁÏ¹Ï Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this compliance standard is to establish guidelines for the use of encryption to secure University information in transit on a network or stored on any form of media.
Definitions
Encryption: Encrypting or scrambling data to assure confidentiality and integrity.
In Transit: Data being moved from one location to another.
At Rest: Data stored in a location
ITS is the acronym for the official name of Information Technology Services.
Escrowing: Storing and managing key and/or certificates in a system to protect against lost or stolen keys or certificates.
Proven Standardized Algorithms are ciphers or methods of encryption that are either selected as official methods for the Federal Information Processing Standard or methods that have experienced intense scrutiny and have widespread use.
User includes anyone who accesses and uses the ±¬ÁÏ¹Ï information technology resources.
Standards Statement
Encryption Usage
Only industry standard algorithms and methods will be used as the basis for encryption technology. Accepted methods are available from ITS upon request.
Public and private key sizes and algorithms must meet the current best practices for industry standard encryption. Hashing algorithms for digital signatures or password obfuscation with weaknesses such as MD5 and SHA1 should not be used.
IT Security will follow a documented response procedure for when keys are compromised.
±¬ÁÏ¹Ï must have a secure key management process for the administration and distribution of encryption keys.
±¬ÁÏ¹Ï must generate all encryption keys through an approved encryption package and securely store the keys in the event of key loss due to unexpected circumstances.
Encryption must be used during transmission of sensitive data commensurate with sensitivity and risk.
Encryption should be used for all transmission of data when possible.
Key and Certificate Management
-
In Transit Encryption
-
Keys and Certificates for in transit Encryption should be protected from incidental release and not transmitted through insecure methods.
-
These keys must be changed if they are compromised.
-
-
At Rest Encryption
-
Escrowing keys and certificates are essential for disaster recovery and business continuity. Keys and certificates for critical business services must be escrowed with ITS Security. This includes any keys used by systems or users to protect documents or data.
-
-
Personal Encryption
-
Keys used as personal credentials must be escrowed by the user.
-
Keys used for personal at rest encryption must be escrowed by ITS Security or through an approved system.
-
Encryption Outside of the United States
Users must comply with Federal law regarding the development and use of encryption outside of the United States.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3500 - Use of Computing Resources
- University Policy 3504 - Data Classification
- University Policy 3505 - Information Technology Security
History
Date | Responsible Party | Action |
October 2008 | ITAC/CIO | Created |
October 2010 | ITAC/CIO | Reaffirmed |
October 2011 | ITAC/CIO | Reaffirmed |
March 2014 | IT Policy Office | Minor rewording for clarity Number revision and departmental name change |
May 2018 | IT Policy Office | Reviewed; definitions and links updated |
January 2022 | IT Policy Office | Reviewed and updated links; minor wording changes |