Information Security Standards

ENCRYPTION

GENERAL

The purpose of this procedure is to provide guidance for Texas A&M University – Commerce on the use of encryption to protect the University’s information resources that contain, process, or transmit Confidential and/or Sensitive information.

APPLICABILITY

This procedure applies to all Texas A&M University – Commerce employees and affiliates, including contractors. It addresses encryption requirements and controls for Confidential and/or Sensitive data that is at rest (including laptops, tablets, other portable devices and removable media) regardless of ownership of the particular storage device, and data in motion (transmission security). This SAP is compatible with, but does not supersede or guarantee compliance with all state and federal encryption standards. In the case where multiple standards may apply, the strictest standard must be used.

The information resource owner or designee (e.g., custodian, user) is responsible for ensuring that the risk mitigation measures described in this SAP are implemented. Based on risk management considerations and business functions, the resource owner may determine that it would be appropriate to exclude certain risk mitigation measures provided in this procedure. All exclusions must be approved by the CIO or designee.

PROCEDURES

1. All encryption mechanisms implemented to comply with this procedure must support a minimum of, but not limited to, AES 256-bit encryption.

2. The use of proprietary encryption algorithms is not allowed for any purpose unless reviewed and approved by the Chief Information Officer or designee.

3. Recovery of encryption keys must be part of business continuity and disaster recovery planning except for data used by a single individual (e.g., grade book archives).

4. When retired, computer hard drives or other storage media that have been encrypted shall be sanitized in accordance with TAC §202.78, Removal of Data from Data Processing Equipment to prevent unauthorized exposure.

5. Any Confidential or Sensitive data transmitted to or from a site not on the campus network (e.g., to and from vendors, customers, or entities doing business with the University) must be encrypted or be transmitted through an encrypted tunnel that is encrypted with secure socket layers (SSL) or a virtual private network (VPN) tunnel.

6. Confidential or Sensitive data should not be transmitted

a. in the body of an email message or attachments.

b. using a web-based email provider (including university webmail)

c. using peer-to-peer (P2P) file sharing

d. via instant message or file sharing via instant messages

7. Encryption is required when confidential or sensitive data is accessed remotely from a shared network, including connections from a Bluetooth device to a PDA or cell phone.

8. Transfer of confidential or sensitive documents and data over the Internet using secure file transfer programs (e.g., HTTPS, FTPS, SFTP) is permitted.

HISTORY

Last Updated March 31, 2014