1.1 Encryption helps protect university data from unauthorized disclosure. The guidelines below outline the encryption and cryptographic key management requirements for university assets and data that follows best practices and aligns with recommendations outlined in the National Institute of Standards and Technology Special Publication, NIST SP 800-57.
2.1 The standards apply to all Information Systems, Information System Owners, and Users of University information Systems.
3.1 Local Encryption
3.1.1 Local encryption is required for all University managed mobile devices, laptops, and workstations. Local encryption is required for servers storing or processing Internal Use, Confidential, or Restricted Data.
3.1.2 Encryption technology will vary based on device and manufacturer. Where possible, whole disk encryption must be enabled.
3.2 Network Encryption
3.2.1 Network encryption is required for all systems transmitting Internal Use, Confidential, or Restricted University Data.
3.2.2 Systems must be configured to negotiate TLS 1.2 and should be configured to negotiate TLS 1.3.
126.96.36.199 The use of TLS versions 1.1 and 1.0 is discouraged but may be configured when necessary.
188.8.131.52 Servers must not allow the use of SSL 2.0 or SSL 3.0.
3.2.3 In productions systems, certificates for TLS must be obtained from a publicly trusted CA (a CA that clients that will be connecting to the server have already been configured to trust).
184.108.40.206 In cases where all the clients are under the University control, self-signed certificates can be used if the solution owner can configure the clients to trust their CA.
220.127.116.11 Test and development systems may use self-signed certificates but must not be accessible from outside the University network.
3.3 Cryptographic Key Management
3.3.1 Each key must be used for only one purpose (e.g., encryption, data integrity authentication, or digital signatures), thus limiting the damage that could be done if compromised.
3.3.2 Keys will be rotated within a one-to-three-year period.
18.104.22.168 Exceptions to the maximum three-year cryptoperiod may be warranted depending on the type of key.
22.214.171.124 When exceptions are requested, the Office of Information Security will evaluate key rotations to determine if the integrity risk is minimal and the expense to rotate keys inordinately high.
3.3.3 Information System Owners will maintain procedures for changing keys at the end of the defined cryptoperiod, and for replacing keys should the integrity be compromised.
3.4 Cryptographic Key Access
3.4.1 Keys must be protected from unauthorized access and modification by following the Account and Password Management Policy access controls.
3.4.2 To prevent the loss of key credentials, no individual Information System Owner will have sole access to an encryption key.
3.5 Cryptographic Key Logging
3.5.1 Systems will be configured to log the creation, deletion, and usage of each encryption key.
3.5.2 Logs will be forwarded to the University’s security information and event management system (SIEM) for safekeeping and investigation should a key be compromised.
Office of Information Security
November 2, 2023