Encryption helps protect university data from unauthorized disclosure. The guidelines below outline the encryption requirements for university assets and data.
Local encryption is required for all University managed mobile devices, laptops, and workstations. Local encryption is required for servers storing or processing Internal Use, Confidential, or Restricted data.
Encryption technology will vary based on device and manufacturer. Where possible, whole disk encryption should be enabled.
Network encryption is required for all systems transmitting Internal Use, Confidential, or Restricted University data.
Systems shall be configured to negotiate TLS 1.2 and should be configured to negotiate TLS 1.3. The use of TLS versions 1.1 and 1.0 is generally discouraged, but these versions may be configured when necessary to enable interaction in certain cases. Servers shall not allow the use of SSL 2.0 or SSL 3.0.
In most productions systems, certificates for TLS should be obtained from a publicly trusted CA (a CA that clients that will be connecting to the server have already been configured to trust). In certain cases where all the clients are under the University control, self-signed certificates can be used if the solution owner can configure the clients to trust their CA. Test and development systems may use self-signed certificates, but should not be accessible from outside the University network.
Contact OIS for questions regarding implementation of encryption guidelines at email@example.com.
May 26, 2020