5.7 Encryption
I. Purpose
The purpose of this policy is to define the requirements and guidelines for the use of encryption
technologies on college Information Technology resources to protect the confidentiality of restricted
information. This policy also increases awareness about the need to protect college restricted data.
II. Scope
This policy applies to all employees, agents, students, and representatives of the college who access and
use college Information Technology resources and establishes the administrative and technical
safeguards required for access and authentication.
III. General
Definitions
Information Technology Resources – includes but is not limited to the following: computer and networking equipment, workstations, laptops, software, operating systems, storage devices and media, network accounts, email services and email accounts, Internet browsing and related services, voice mail, applications, scanning and fax systems, tablets, and smartphones.
Systems – same as Information Technology resources.
User – faculty, staff, employee, agent, authorized representative, or student that has access to college Information Technology resources.
Encryption – the process of scrambling or encoding data to offer protection against unauthorized users from accessing or manipulating it. It is a process by which data is transformed into a format that renders it unreadable without access to the encryption key and knowledge of the process used.
Encrypted Channel – communications that protect the data being transferred from one computer to another from viewing or alteration by an unauthorized person. Examples include websites that use https or ftps.
Encryption Key – a random string of bits created explicitly for scrambling and unscrambling data.
Whole Disk Encryption – a process in which the entire hard disk (or storage device) is encrypted thereby protecting all the data on the storage device.
Portable data-storage device – any portable device or storage medium capable of storing data. Examples include but are not limited to the following: laptop computer, smart phone, USB drive, CD ROM, or DVD.
Restricted Data - institutional data whose unauthorized disclosure, alteration, or destruction could cause a significant level of risk to the college. Examples include but are not limited to: Social Security numbers, Personally Identifiable Information (PII), Financial Aid data, proprietary college data, physical computing infrastructure and physical plant data.
Policy
- The college will employ reasonable encryption technologies in order to mitigate the risk of disclosure or alteration of college restricted data on all college owned Information Technology resources or services provided through outsourced third party providers.
- Credentialed passwords must be encrypted in transmission.
- Remote sessions to hosts storing restricted data must be encrypted through the use of secure protocols or applications (i.e. TLS/SSL).
- All laptops and workstations owned by the college must employ whole disk encryption to protect the institutional data of the college.
- All portable media containing college restricted data must employ encryption standards.
- All restricted data that is contained within an email, a document attached to an email, or is transmitted through a web portal must employ encryption technologies in order to protect data in transit.
- The transmission of unencrypted restricted data must take place via an encrypted channel. For example, an excel spreadsheet that contains Social Security numbers that is not encrypted with a password may be sent via encrypted channels (i.e. websites that use https or ftps).
- The transmission of encrypted restricted data may be transmitted via encrypted or unencrypted channels. For example, an excel spreadsheet that contains Social Security numbers that was encrypted with a password can be sent via any communication channel (i.e. websites that use http).
- As a best practice, it is strongly recommended to encrypt any file that contains restricted data over an encrypted channel.
- Email messages containing encrypted data may never include the password in the same message as the encrypted data.
- Any restricted data that is transmitted over public networks (i.e. wireless hotspots) must be encrypted.
- All data that is backed up to tape or other media for disaster recovery and business continuity objectives must be encrypted.
- Encryption keys are considered restricted data. Documented procedures for encryption key management will be maintained.
Exceptions
Files do not need to be encrypted when:
- transmitted over the college wired local area network from one internal user to another
internal user (i.e. internal email correspondence), - transmitted from one user to a college managed network drive,
- sent from one user to the college authorized cloud based document repository.
IV. Procedures
Compliance
Information Technology Services staff will verify compliance to this policy through various methods, including but not limited to monitoring, business tool reports, internal and external audits, and feedback to the individual with responsibility for the policy.
Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
V. Approval
President - November 21, 2019
VI. Responsibility
Vice President Technology & CTO