ISO Policies, Standards, and Guidelines
Data Encryption Guidelines
Last reviewed: 06/24/2013
The most reliable way to protect the university's sensitive
data is to avoid handling sensitive university data. Sensitive university data
should be retained or handled only when required. Encryption can
be an effective information protection control when it is necessary to possess
sensitive university data.
This guideline serves as a supplement to the Information Resources Use and Security Policy, which was drafted in response to Texas Administrative Code 202 and UT System UTS-165. Adherence to these guidelines will better assure the confidentiality and integrity of the university's sensitive data should data encryption be used as an information protection control.
The objective of these guidelines is to provide guidance in understanding encryption and the encryption key management required for maintaining the confidentiality and integrity of the university's sensitive data, should data encryption be used as an information protection control.
These guidelines apply to all devices, physical or virtual where university data is classified as Category I, II, or III (see Data Classification Standard).
4.1. Encryption Applicability
4.1.1. Transmission: In order to protect the confidentiality and integrity of the university's sensitive data; any data classified as Category-I data, and having a required need for confidentiality and/or integrity, shall be transmitted via encrypted communication to ensure that is does not traverse the network in clear text. It is further recommended, but not required, that data classified as Category-II be transmitted via encrypted communications when possible. See the university Data Classification Standard for further clarification on the classification of university data. Applications of encryption for data transmission include, but are not limited to, those identified in APPENDIX-A.
4.1.2. Storage: In order to protect the confidentiality and integrity of the university's sensitive data; any data classified as Category-I data, and having a required need for confidentiality and/or integrity, shall be stored encrypted in systems and/or databases and/or portable media. Category-II or Category-III data classifications do not require such encrypted storage. See the university Data Classification Guidelines for further clarification on data classification. Applications of encryption for data storage include, but are not limited to, those identified in APPENDIX-B.
4.1.3. A combination of business practices and technology can act as mitigating factors and could significantly reduce the risk of unauthorized data exposure, thereby offsetting the specific need to implement data encryption. Examples of such mitigating factors include, but are not limited to, those identified in APPENDIX-C.
4.2. Encryption Services
4.2.3. The encryption services referenced in APPENDIX-F shall be used for digital signature purposes when Category-I information is involved.
4.2.5. Digital certificates shall apply recognized standards (e.g., X.509v3) and shall at least:
4.3. Encryption Key Management
4.3.1. Encryption keys used to protect Category -I data shall also be considered Category-I data.
4.3.2. Professional key management is critical to prevent unauthorized disclosure of Category-I data or irretrievable loss of important data. A centralized campus key management infrastructure shall be made available to all university users to ensure appropriate controls are applied. The university data managed by all key management infrastructures shall be considered both Category I and mission critical.
4.3.3. All university key management infrastructures shall create and implement an encryption key management plan to address the requirements of these encryption guidelines, other university and UT-System regulations, and applicable State and Federal law. UT-Austin Internal Audit shall approve such plans.
4.3.4. All symmetric encryption keys used on systems associated with Category-I data shall be randomly generated according to industry standards. Acceptable standards include, but are not limited to, those referenced in APPENDIX-G.
4.3.5. Where symmetric encryption is used to protect Category-I data:
4.3.6. When asymmetric encryption is used, the operational period of asymmetric keys associated with a public key certificate are defined by the encryption key management plan of the issuing certificate authority.
4.3.7. Encryption keys shall be stored within an encrypted key store or an otherwise encrypted form using approved algorithms; or the keys may be stored on a security token (e.g., a smart card). The encryption keys shall never leave the device if stored on a security token.
4.3.8. Encryption keys are confidential information, and access shall be strictly limited to those who have a need-to-know. The owner(s) of data protected via encryption services shall explicitly assign responsibility for the encryption key management that should be used to protect this data. If keys are transmitted over communication lines, they shall be sent in encrypted form. The exchange of keys should employ encryption using a stronger algorithm than is used to encrypt data protected by the keys.
4.3.9. Encryption keys that are compromised (e.g., lost or stolen) shall be reported immediately to the Information Security Office (email@example.com), the key manager, and the information owner of the data being protected. The key shall be revoked or destroyed and a new key generated. Key re-assignments shall require re-encryption of the data.
4.4. Certificate Authorities
4.4.1. Encryption keys that are generated by a university production certificate authority (CA) and used to control access to the CA server or used by the CA to perform functions shall be stored on Hardware Security Modules (HSM).
4.4.2. All HSMs used within the university shall adhere to recognized standards (e.g., FIPS 140-3).
4.4.3. University CAs must be designed such that all CA administrator functions are accounted for in detail. Ideally, no single administrator shall obtain full access to the CA encryption keys (e.g., separation of duties, dual control, etc.)
4.4.4. University CAs within the university must adhere to a respective encryption key management plan and create a documented Certificate Practice Statement (CPS).
4.5. Legal Requirements
The encryption systems used by the university must comply with applicable laws and regulations. Any export or import of encryption products (e.g., source code, software, or technology) must comply with the applicable laws and regulations of the countries involved, including those countries represented by foreign nationals affiliated with the university. The United States Department of Commerce provides additional guidance specific to such encryption export controls, http://www.bis.doc.gov/encryption/.
5.1. Information Security Office Responsibilities
5.1.1. Development and maintenance of the university Data Encryption Guidelines.
5.1.2. Assess the secure installation and maintenance of all equipment supporting encryption controls at the university.
5.1.3. Assess the performance and security monitoring for all elements of the encryption control processes.
5.1.4. Assess all related key management processes.
5.1.5. The Information Security Office, acting on behalf of the university, reserves the right to refuse any encryption request that may compromise the security of the university's networks or sensitive data.
5.2. Key Manager Responsibilities
5.2.1. Adherence to the university Data Encryption Guidelines and related policies established by the university.
5.2.2. Ensure secure installation and maintenance of all respective equipment supporting encryption controls.
5.2.3. Ensure performance and security monitoring for all respective elements of the encryption control process.
5.2.4. Ensure all related key management processes can be accounted for in detail and, if possible, that no single key management supporting staff member can individually obtain full access to master keys or CA encryption keys (e.g., separation of duties, dual control, etc).
5.3. User Responsibilities
5.3.1. All users shall adhere to the university's Data Encryption Guidelines and related policies established by the university.
5.3.2. All users shall be familiar with the university's Minimum Security Standards for Data Stewardship.
5.3.3. All users shall acknowledge a key escrow agreement, which will identify the required escrow of the subscriber's private key. This requirement will be established for the benefit of the user, the university, and to comply with state and federal law.
5.3.4. All users must manage the storage and transmission of data files in a manner which safeguards and protects the confidentiality, integrity, and availability of such files.
5.3.5. Questions about the classification of a specific piece of data should be addressed to the local supervisor or respective IT Owner. Questions about these guidelines should be addressed to the Information Security Office.
Portions adapted from "University of Pittsburgh: Security Guidelines for Encryption," http://technology.pitt.edu/documentation/Security_Guidelines/Encryption_Guideline-vs-2.0.pdf, with permission from the University of Pittsburgh, Pittsburgh, Pennsylvania 15260-3332. No longer available online.
Portions adapted from Encryption at the University of California: Overview and Recommendations, with permission from the University of California Office of the President, Oakland, California 94607-5200.
8.1. APPENDIX A: Application of Encryption for Data Transmission
Private Network (VPN)
8.2. APPENDIX B: Applications of Encryption for Data Storage
126.96.36.199. IT Owners and IT Custodians should understand that database server encryption does not imply that data in the database server is encrypted when transmitted over a network. In general, the database server decrypts data before it is transmitted, therefore encryption for data transmission shall also be implemented for database servers processing Category I data.
188.8.131.52. IT Owners and IT Custodians should consider a number of factors when making decisions on database server encryption (e.g., data classification, need for confidentiality, number of associated applications, system administration, performance, cost, and backup requirements.)
8.3. APPENDIX C: Examples of Potential Mitigating Factors
8.4. APPENDIX D: Symmetric Algorithms
8.5. APPENDIX E: Public Key Asymmetric Algorithms
8.6. APPENDIX F: Digital Signature Algorithms
8.7. APPENDIX G: Industry Standards For Symmetric Key Generation
9. Revision History
Send computing questions to the ITS Help Desk or call (512) 475-9400.