Data Encryption Policy 1

Data Encryption Policy

1. Overview

[LEP] “Confidential Information” and Employee, Educator or Student Personally Identifiable Information
(“PII”) must be protected while stored at-rest and in-transit. Appropriate encryption technologies must be
used to protect the [LEP].

2. Purpose

The purpose of this policy is to provide guidance on the use of encryption technologies to protect [LEP]
data, information resources, and other Confidential Information or PII while stored at rest or transmitted
between parties. This policy also provides direction to ensure that regulations are followed.

3. Scope

This policy applies to all [LEP] staff that create, deploy, transmit, or support application and system
software containing Confidential Information or PII. It addresses encryption policy and controls for
Confidential Information or PII that is at rest (including portable devices and removable media), data in
motion (transmission security), and encryption key standards and management.

4. Policy

5. ACCESS

The [Insert Appropriate Role] or their designee shall ensure:

o Policies, procedures, scenarios, and processes must identify Confidential

Information or PII that must be encrypted to protect against persons or programs
that have not been granted access.

o [LEP] implements appropriate mechanisms to encrypt and decrypt Confidential

Information or PII whenever deemed appropriate. Internal procedures shall
specify how [LEP] transmits sensitive information as well as how often the
information is transmitted.

o When encryption is needed based on data classification to protect Confidential

Information or PII during transmission. Procedures shall specify the methods of
encryption used to protect the transmission of Confidential Information or PII.

o Logical user access is managed separately and independently of native

operating system authentication and access control mechanisms (for example,
by not using local user account databases or general network login credentials)
when disk encryption is used rather than file or column level database
encryption.

6. ENCRYPTION KEY LENGTH

[LEP] uses software encryption technology to protect Confidential Information or PII. To

provide the highest-level security while balancing throughput and response times, encryption
key lengths should use current industry standard encryption algorithms for Confidential
Information or PII.

Sample IT Security Policies

 Data Encryption Policy 2

The use of proprietary encryption algorithms are not allowed unless reviewed by qualified
experts outside of the vendor in question and approved by [LEP] management.

7. AT-REST ENCRYPTION

 Hard drives that are not fully encrypted (e.g., disks that one or more un-encrypted
partitions, virtual disks) but connect to encrypted USB devices, may be vulnerable to
security breach from the encrypted region to the unencrypted region. Full disk
encryption avoids this problem and shall be the method of choice for user devices
containing Confidential Information or PII.

 Confidential Information or PII at rest on computer systems owned by and located

within [LEP] controlled spaces, devices, and networks should be protected by one or
more of the following mechanisms:

o Disk/File System Encryption (e.g. Microsoft EFS technology)

o Use of Virtual Private Networks (VPN’s) and Firewalls with strict access
controls that authenticate the identity of those individuals accessing the
Confidential Information or PII

o Sanitizing, redacting, and/or de-identifying the data requiring protection

during storage to prevent unauthorized risk and exposure (e.g., masking or
blurring PII)

o Supplemental compensating or complimentary security controls including

complex passwords, and physical isolation/access to the data

o Strong cryptography on authentication credentials (i.e. passwords/phrases)

shall be made unreadable during transmission and storage on all information
systems

o Password protection to be used in combination with all controls including

encryption

o File systems, disks, and tape drives in servers and Storage Area Network
(SAN) environments are encrypted using industry standard encryption
technology

o Computer hard drives and other storage media that have been encrypted
shall be sanitized to prevent unauthorized exposure upon return for
redistribution or disposal

8. PORTABLE DEVICE ENCRYPTION

 Portable devices (e.g. smart-phones, flash cards, SD cards, USB file storage)
represent a specific category of devices that contain data-at-rest. Many incidents
involving unauthorized exposure of Confidential Information or PII are the result of
stolen or lost portable computing devices. The most reliable way to prevent
exposure is to avoid storing Confidential Information or PII on these devices.

 As a general practice, Confidential Information or PII shall not be copied to or stored

on a portable computing device or [LEP]-owned computing device. However, in

Sample IT Security Policies

 Data Encryption Policy 3

situations requiring Confidential Information or PII to be stored on such devices,

encryption reduces the risk of unauthorized disclosure in the event that the device
becomes lost or stolen. The following procedures shall be implemented when using
portable storage:

o Hard drives (laptops, tablets, smartphones and personal digital assistants

(PDAs)) shall be encrypted using products and/or methods approved by
[LEP] [Insert Appropriate Roles]. Unless otherwise approved by
management, such devices shall have full disk encryption with pre-boot
authentication.

o Devices shall not be used for the long-term storage of any Confidential
Information or PII.

o All devices shall have proper and appropriate protection mechanisms

installed including approved anti-malware/virus software, personal firewalls
with unneeded services and ports turned off, and properly configured
applications.

o Removable media including CD’s, DVD’s, USB flash drives, etc. shall not be
used to store Confidential Information or PII.

9. IN-TRANSIT ENCRYPTION

In-transit encryption refers to transmission of data between end-points. The intent of these
policies is to ensure that Confidential Information or PII transmitted between companies,
across physical networks, or wirelessly is secured and encrypted in a fashion that protects
student Confidential Information or PII from a breach.

The [Insert Appropriate Role] or their designee shall ensure:

 Formal transfer policies, protocols, procedures, and controls are implemented to

protect the transfer of information through the use of all types of communication and
transmission facilities.

 Users follow [LEP] acceptable use policies when transmitting data and take particular
care when transmitting or re-transmitting Confidential Information or PII received from
non-[LEP] staff.

 Strong cryptography and security protocols (e.g. TLS, IPSEC, SSH, etc.) are used to
safeguard Confidential Information or PII during transmission over open public
networks. Such controls include:

o Only accepting trusted keys and certificates, protocols in use only support
secure versions or configurations, and encryption strength is appropriate for
the encryption methodology in use.

o Public networks include but are not limited to the Internet, Wireless
technologies, including 802.11, Bluetooth, and cellular technologies.

o Confidential Information or PII transmitted in e-mail messages are encrypted.

Any Confidential Information or PII transmitted through a public network (e.g.,
Internet) to and from vendors, customers, or entities doing business with

Sample IT Security Policies

 Data Encryption Policy 4

[LEP] must be encrypted or transmitted through an encrypted tunnel (VPN)

or point-to-point tunneling protocols (PPTP) that include current transport
layer security (TLS) implementations.

o Wireless (Wi-Fi) transmissions used to access [LEP] computing devices or

internal networks must be encrypted using current wireless security standard
protocols (e.g. RADIUS, WPS private/public keys or other industry standard
mechanisms).

o Encryption or an encrypted/secured channel is required when users access

[LEP] Confidential Information or PII remotely from a shared network,
including connections from a Bluetooth device to a [LEP] PDA or cell phone.

o Secure encrypted transfer of documents and Confidential Information or PII

over the internet uses current secure file transfer programs such as “SFTP”
(FTP over SSH) and secure copy command (SCP).

o All non-console administrative access such as browser/web based

management tools are encrypted using SSL based browser technologies
using the most current security algorithm.

10. ENCRYPTION KEY MANAGEMENT

Effective enterprise public and private key management is a crucial element in ensuring
encryption system security. Key management procedures must ensure that authorized
users can access and decrypt all encrypted Confidential Information or PII using controls
that meet operational needs. [LEP] key management systems are characterized by
following security precautions and attributes:

 [LEP] uses procedural controls to enforce the concepts of least privilege and
separation of duties for staff. These controls apply to persons involved in encryption
key management or who have access to security-relevant encryption key facilities
and processes, including Certificate Authority (CA) and Registration Authority (RA),
and/or contractor staff.

 [Insert Appropriate Role] shall verify backup storage for key passwords, files, and
Confidential Information or PII to avoid single point of failure and ensure access to
encrypted Confidential Information or PII.

 Key management should be fully automated. [LEP] [Insert Appropriate Role] should
not have the opportunity to expose a key or influence the key creation.

 Keys in storage and transit must be encrypted.

 Private keys must be kept confidential.

 Application and system resource owners should be responsible for establishing data
encryption policies that grant exceptions based on demonstration of a business need
and an assessment of the risk of unauthorized access to or loss of Confidential
Information or PII.

The [Insert Appropriate Role] or their designee shall ensure:

Sample IT Security Policies

 Data Encryption Policy 5

 Decryption keys are not associated with user accounts.

 Documentation and procedures exist to protect keys used to secure stored

Confidential Information or PII against disclosure and misuse.

 Restrict access to cryptographic keys to the fewest number of custodians

necessary.

 Cryptographic keys are stored in the fewest possible locations.

 Key management processes and procedures for cryptographic keys are fully
documented.

 Retirement or replacement (for example, archiving, destruction, and/or revocation)

of keys as deemed necessary when the integrity of the key has been weakened or
keys are suspected of being compromised.

Note: If retired or replaced cryptographic keys need to be retained, these keys must be
securely archived. Archived cryptographic keys should only be used for
decryption/verification purposes.

Cryptographic key custodians shall formally acknowledge that they understand and
accept their key-custodian responsibilities.

11. Audit Controls and Management

On-demand documented procedures and evidence of practice should be in place for this operational
policy as part of [LEP] operational methodology.

 [LEP] shall inventory encrypted devices and validate implementation of encryption products
at least annually.

 Documentation shall exist for key management procedures.

 At-Rest encryption procedures exist and can be demonstrated.

 In-Transit encryption procedures exist and can be demonstrated.

 Exception logs exist and can be produced for those resources that are excluded from this
policy.

12. Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including
termination.

13. Distribution

This policy is to be distributed to all [LEP] staff and contractors using [LEP] Confidential Information or PII
resources.

Sample IT Security Policies

 Data Encryption Policy 6

14. Policy Version History

Version Date Description Approved By

1.0 9/13/2016 Initial Policy Drafted

Sample IT Security Policies