蜜柚视频

Acceptable encryption standard

Purpose

The purpose of this standard is to is to establish guidelines for acceptable encryption to ensure the confidentiality and integrity of sensitive data. This standard shall apply to all data in transit or stored on mobile devices, removable media, or the cloud. The purpose of encryption of data in transit is to protect the confidentiality of the data from accidental or malicious disclosure. The purpose of encryption for mobile devices (e.g., laptops) and removable media (e.g., USB thumb drives) is to protect the data in the event the device is lost or stolen.   

Scope

This standard applies to all university employees, as well as any individuals who are not University employees but have access to university data, such as retired or emeritus staff and faculty, contractors and volunteers; and any student handling university data, when accessed through or stored on mobile computing and storage devices, regardless of the device's ownership. This includes all access, storage, processing or transmission of sensitive data including the transfer of information between users using electronic communication systems (e.g. email, instant message); mobile devices (e.g. laptops, tablets, mobile phones) or removable media (e.g. USB drive or CD/DVD).

Standard

Encryption refers to a technology that protects a device, folder, or file from unauthorized access by converting the data into unreadable code. Encryption creates a stronger level of protection than a password protected device, folder, or file.   
 
  • All mobile computing and storage devices that store sensitive data, all authentication, and all network communications (including logins) involving transmission of sensitive data must be encrypted.  
  • Mobile devices and removable media must be protected with whole disk encryption or with encrypted files.  
  • Authentication: credentialed passwords must be encrypted in transmission. Using the university鈥檚 central authentication services such as Active Directory will ensure that passwords are transmitted securely at the time of login.
  • Data transmission: remote sessions to machines storing sensitive data must be encrypted through the use of secure protocols or applications.   
  • Web applications 鈥 sensitive data communicated between a web application and the client machine should be encrypted using TLS/SSL.  
  • Remote sessions (SSH) - allows a client to connect securely to an SSH server, and then use the resulting secure link to access the server's resources.  
  • File transfers 鈥 encrypted file transfers can be done by using an encrypted transmission protocol such as SFTP. If an unencrypted mechanism is used to transfer a file containing sensitive data, the file must be encrypted before being transferred.  
  • Remote sessions (RDP) - a secure network communications protocol designed for remote management, as well as for remote access to virtual desktops, applications and an RDP terminal server.     
  • Virtual Private Network (VPN) - 蜜柚视频 provides a VPN that meets the approved levels of encryption for remote access to campus services.   

蜜柚视频 requires that certain types of sensitive data, as defined in the policy Data Classification (93.001), must be protected to ensure confidentiality and integrity. To keep this information as secure as possible, the university will use industry standards as a baseline to define the requirements for encryption. The current standard according to the National Institute of Standards and Technology (NIST) is that all confidential data, data with a sensitivity rating of 鈥淗igh鈥 per university policy, at a bare minimum must be encrypted using the Advanced Encryption Standard (AES) encryption method with a minimum recommendation of 256 bit key or higher.    

There are many programs and methods of encrypting data that can meet university policies and standards. Which program and method the user chooses to implement is at the user鈥檚 discretion.   

Users are warned that use of encryption technology outside of the minimum criteria described in this standard may be ineffective for its intended purposes, which subsequently can lead to violating the Information Security policy (91.005), if highly sensitive information is ineffectively encrypted. The Information Security Office (鈥淚SO鈥) is unable to provide support for any encryption technologies other than those listed in this standard.
 

Definitions

Sensitive University data 鈥 University data that requires protection to ensure confidentiality and integrity, as defined in 蜜柚视频鈥檚 policy Data Classification (93.001). Examples of such data can be found by referring to Sensitive Data: Defining and Classifying | 蜜柚视频.

Mobile computing and storage devices 鈥 Computing and storage devices that are compact in nature and are easily transportable as outlined in the Mobile device standard | 蜜柚视频 

References

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.   

Request an exception:  

Complete Exception Request Form.    

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.   

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College)
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences)
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering)
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College)
  • Finance: Julie Allison, Associate Vice President, Finance
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration

History

Draft versions of this policy were circulated for review and approved on November 20, 2020.

Draft revisions of this policy were circulated for review and approved on August 7, 2025.