113 Information Security Encryption
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | System Owners | System Custodians/ Administrators | WashU IT | Departments, Schools, Units |
|---|---|---|---|---|---|
| All Protected Data must be encrypted in transit and at rest. | ✔ | ✔ | ✔ | ✔ | ✔ |
| Encryption in transit and at rest is strongly recommended for Confidential Data. | ✔ | ✔ | ✔ | ✔ | ✔ |
| Encryption algorithms must follow widely accepted and industry-tested standards. | ✔ | ✔ | ✔ | ✔ | ✔ |
| Proprietary algorithms or algorithms known to be insufficient, weak or deprecated, are prohibited. | ✔ | ✔ | ✔ | ✔ | ✔ |
| Loaner laptops are recommended for faculty and staff working abroad. | ✔ (faculty/ staff) | ✔ | ✔ | ✔ | ✔ |
| Key management practices will adhere to Standard 213. | ✔ | ✔ | |||
| The loss, theft, or unauthorized disclosure of any encryption key used with WashU data must be immediately reported to OIS. | ✔ | ✔ | ✔ | ✔ | ✔ |
Summary of Policy
Encryption protects the Confidentiality and Integrity of WashU information in transit and at rest. Based on encryption recommendations from the National Institute of Standards and
Technology, Policy 113 helps WashU protect university data, preserve public trust by avoiding
data leaks, and meet legal and regulatory requirements. Specifically, the policy communicates
the following:
- Encryption requirements and recommendations for WashU Confidential and Protected
Data - Acceptable encryption algorithms for use with WashU data
- Acceptable key management practices
- Responding to the loss or theft of encryption keys
Full Text of Policy
Policy 113 Information Security Encryption
This policy specifies acceptable encryption algorithms for use with Washington University in St. Louis (WashU) data, encryption requirements for WashU Confidential and Protected Data, and acceptable key management practices, following recommendations of the National Institute of Standards and Technology (NIST).
Related Information
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
203 Universal Device Management
DRAFT This standard is designed to mitigate risk, protect sensitive data, and maintain the overall security posture of Washington University in St. Louis (WashU) by ensuring all devices used for university activities are properly configured, secured, and maintained.
206 Server Security
DRAFT This standard establishes a protocol for securing servers within Washington University in St. Louis (WashU).
206.1 Network Security
DRAFT This standard establishes a comprehensive framework for protecting WashU’s network infrastructure against threats and vulnerabilities.
213 Information Security Encryption
DRAFT This standard establishes security guidelines at the university to protect electronic information from unauthorized access, modification, or loss during storage, transfer, or use.