Policy 113 Information Security Encryption

Purpose
Applicability and Audience
Information Security Roles and Responsibilities (100.01)
Policy
Policy Compliance
Related Policies, Standards, and Guidelines
References
Policy Review

Purpose

Policy 113: Information Security Encryption specifies acceptable encryption algorithms for use with Washington University in St. Louis (WashU) data, encryption requirements for WashU Confidential and Protected Data, and acceptable key management practices, following recommendations of the National Institute of Standards and Technology (NIST).

Applicability and Audience

This policy applies to the encryption methods for all WashU networks, infrastructure, systems, devices (including WashU-owned and personal devices), and applications that create, store, or transmit Confidential or Protected Data and Information. This policy also applies to encryption keys issued by WashU, used for WashU business, or used to protect WashU data or systems.

This policy applies to all members of the WashU Community, including faculty, staff, students, and any agent of the university with access to WashU information and networks for contracted services. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.

Information Security Roles and Responsibilities (100.01)

Policy

113.00 Introduction

Encryption protects the Confidentiality and Integrity of data by transforming it into ciphertext using a mathematical encryption algorithm (a cipher) and a cryptographic key. Ciphertext is meaningless until it has been unscrambled with the correct algorithm and key. Encryption can be used on any kind of data and may be applied to files, emails, systems, networks, as well as many devices and forms of external media.

WashU requires that all Protected Data are encrypted in transit and at rest, and strongly recommends encryption of Confidential Data. Data in transit refers to data actively moving from one location to another (e.g., from local storage to the cloud, sent via email). Data at rest refers to data in storage (e.g., on a server, hard drive, or in the cloud). Protecting data in transit and at rest may involve encrypting emails, files, systems, and/or devices.

Additional details are available in Standard 213: Information Security Encryption.

113.01 Encryption Algorithm Requirements

Encryption algorithms used to secure WashU information resources must follow widely accepted and industry-tested standards. Most modern and up-to-date devices and programs already implement such standards. Additional information about acceptable encryption algorithms is available in Standard 213: Information Security Encryption.

113.02 Prohibited Encryption Algorithms

WashU prohibits proprietary encryption algorithms or algorithms that are known to be insufficient, weak, or deprecated.

Many countries ban or regulate the import, export, and use of encryption products. This may impact WashU Community members traveling with encrypted devices. The OIS recommends that faculty and staff traveling for work request a loaner laptop. Refer to the Office of the Vice Chancellor of Research website for additional information about restricted countries, entities, and persons.

113.03 Encryption Requirements

All WashU Protected Data and Information must be properly encrypted both during transfer between systems and when being stored on systems (i.e., in transit and at rest). Encryption is strongly recommended for WashU Confidential Data.

Standard 213: Information Security Encryption details encryption requirements and methods according to data and information classification.

Standard 206: Server Security and Standard 206.1 Network Security specify encryption requirements for WashU servers and networks by the type of data they contain.

Standard 203: Universal Device Management specifies encryption requirements for all devices.

113.04 Key Management

Secure key management practices need to be implemented to protect encryption keys from unauthorized access, loss, or theft. This includes the generation, storage, distribution, rotation, and destruction of encryption keys in accordance with established cryptographic standards and procedures.

Cryptographic key establishment and management can be performed using manual procedures or automated mechanisms with supporting processes and procedures. IT will document details about key generation, distribution, and storage.

Refer to Standard 213: Information Security Encryption for specific requirements.

113.05 Loss and Theft of Encryption Keys

The loss, theft, or unauthorized disclosure of any encryption key used with WashU data must be immediately reported to the Office of Information Security.

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical, users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct.

Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees.

Standard 200: Information Security Classification, Labeling, and Handling

Standard 203: Universal Device Management

Standard 206: Server Security

Standard 206.1: Network Security

Standard 213: Information Security Encryption