ISO PS018 Encryption of Data
Policy Name: Encryption of Data
Policy Number: IS PS018
Effective Date: March 1, 2010
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew Witten
Contact Email: ISOPol@louisville.edu
Approved By: Compliance Oversight Council
Encryption of sensitive information maintained on or transmitted by computing devices is mandatory. It is the responsibility of each user to ensure encryption for all University related data not hosted on University enterprise systems. Encryption of data hosted on enterprise systems is the responsibility of IT personnel.
Encrypting sensitive information increases the University's ability to maintain compliance with legislation, regulation, contractual obligations as well as the expectations of our constituents and the community at large and reduces the risk of a data security breach.
1 - Sensitive information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, confidential or proprietary research data, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc.
2 - Computing Devices: Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, PDAs, email/messaging devices, cell phones, removable hard drives, flash or "thumb" drives, etc. all hereafter referred to as "computing devices".
3 - Enterprise Systems: Server class computing systems physically maintained in the University's computing center by the Information Technology Division which features multiple layers of physical security and access control, back-up power, climate control, fire suppression, data back-up and disaster recovery plans, etc. Only a few computing centers elsewhere fit the enterprise systems category. Servers and computers located in offices, data closets and other areas that do not have the features and dedicated staffing of one of these data centers do not fit the enterprise systems criteria. See Technical Standards section of this document for compatibility of devices with recommended software and alternative recommendations.
Computing devices and storage media
All computing devices and storage media (includes portable and remote) used to store, process or transmit sensitive information must maintain information of this nature using encryption software. Encryption using full disk encryption technology is the recommended method if full disk encryption is supported on your device or media. If not, at a minimum, all sensitive data fields, files or storage partitions must be encrypted. A process to ensure safeguards of devices used for media in transit to off-site locations must exist.
Note: Personal devices must not be used for sensitive information unless the device is configured to comply with these standards.
See IS PS012 Workstation and Computing Devices and IS PS013 Server Computing Devices
All data backups should be encrypted and password protected and must be encrypted if they contain sensitive information unless the backups can be demonstrably shown to be stored in a location with substantial physical security and barriers to entry. Note: Backups containing electronic protected health information (ePHI) must be encrypted. Encryption is mandatory for all backups if custody of the backups is entrusted to a third party (non-UofL personnel). See IS PS015 Backup of Data, IS PS002 Business Continuity and Disaster Recovery.
Transmission of data via e-mail, web access and other means
If sensitive information is transmitted over any network other than the University's internal network, the data or the transmission protocol must be encrypted. See IS PS010 Network Service.
Connecting to University and affiliated computing resources from outside
the University network
All connections to these resources (servers, personal computing devices, networking equipment, etc.) must be via a secure and/or encrypted connection such as a VPN, secure HTTP, secure FTP, SSH, direct dial-in or other secure and/or encrypted method. See IS PS010 Network Service.
Acceptable Encryption Technologies
Encryption of sensitive information is mandatory. All users are strongly encouraged to use the University approved encryption software provided, if compatible with your device, free of end user or departmental charge, on the university's iTech Xpress web site (http://louisville.edu/it/departments/enterprise-security/information/encryption-information) unless your device is not supported by the software. Note: Symantec encryption is the only encryption solution supported at this time by IT. Your technical support staff should be familiar with and able to support any other software if you choose to use a different solution.
- Microsoft windows users are supported on 99%+ of all hardware. Non-compatible hardware includes RAID and SCSI device machines and machines configured for dual or multi-boot operation. Please see IT's technical support FAQs. If your machine contains sensitive information and also has RAID or SCSI devices or is set-up for dual/multi-boot operation or is otherwise not compatible please contact the Information Security Office at firstname.lastname@example.org to discuss alternative methods for safeguarding sensitive information.
- Apple MacIntosh users should use the built in encryption software native to OS X.
- Linux users should use TrueCrypt.
- Smart phone and PDA users should use the encryption software provided by the device manufacturer or supporting vendor.
- For most circumstances where Symantec encryption software is not selected, TrueCrypt should be used (see http://www.truecrypt.org).
- Cryptographic Controls
- Cryptographic controls must conform to the University and regulatory cryptographic technology standards, be used only for the intended purpose to protect sensitive data in transit and at rest and in accordance with all relevant laws regulations and agreements.
- Cryptographic systems, including key management, must be secure and recoverable; reviewed and approved by authorized University official prior to implementation.
- Keys should be secured and where possible, centrally managed.
- A Key management process should be created, documented and address ownership, authorization, recovery, security, destruction, logging, granting/revoking and distribution.
SCOPE / APPLICABILITY:
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
POLICY AUTHORITY / ENFORCEMENT:
The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Version / Revision Date / Description
1.0 / February 12, 2010 / Original Publication
1.1 / March 2, 2010 / Clarification of central IT support
1.2 / March 17, 2010/ Replaced "grant reviews" with "confidential or
proprietary research data". Clarification of non-compatible devices to
specifically include RAID, SCSI and dual/multi-boot platforms.
1.3 / January 29, 2013 / Content Update
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
Approved January 25, 2010 by the Compliance Oversight Council