GDL-3000.07J: Encryption Guidelines
Guideline Summary
Intended Audience: University personnel responsible for administration of workstations, servers, systems, networks, Internet of Things (IoT) devices, and applications
Guideline Owner: Information Security Office (ISO)
Definitions
|
Mathematical algorithms used for Encryption and Decryption. |
|
|
A suite that specifies the Ciphers that may be used for a session. |
|
|
The process of translating Encrypted data back to its original form. Users Encrypting and Decrypting the data must have access to secret encryption keys. |
|
|
The process of converting data into secret code to make it unreadable except by the intended recipient(s). |
|
|
Reference to Data encrypted on physical media. |
|
|
The encryption of data during transmission. |
Introduction
The Information Security Office (ISO) of Western Washington University (University) is responsible for providing guidance on data Encryption. Encryption protects the confidentiality of digital data either stored on media (Encryption at Rest ) or transmitted through a network such as the Internet (Encryption in Transit).
Compliance
To comply with federal, state, and University regulations/policies, Encryption at Rest is required for all confidential data. Encryption in Transit is required for all University confidential data as well as any University data (including non-confidential data) reachable from the Internet.
Cryptographic Standards
Data Encrypted at Rest or Encrypted in Transit must be protected by strong protocols and cryptographic Cipher Suites validated by the National Institute for Standards and Technology (NIST). The ISO’s vulnerability management program monitors University systems for compliance.
Approved Storage Locations for Confidential Data
The University’s business systems and Microsoft Office 365 environment support the University’s Encryption requirements and are pre-approved for storage of confidential data. Confidential data stored in other locations should undergo a review by the University’s ISO to ensure the data is protected by compliant Encryption.
Exceptions to Encryption Guidelines
Exceptions for University Encryption guidelines can be made if compensating security controls are in place and if the ISO reviews the exception.
For the complete guideline, click "Full Document" tab at top of page.
Full Document
Intended Audience: University personnel responsible for administration of workstations, servers, systems, networks, Internet of Things (IoT) devices, and applications.
Guideline Owner: Information Security Office (ISO)
1. Definitions
|
A process that uses a pair of keys—a public key and a private key—to Encrypt and Decrypt messages. Also known as public-key cryptography. |
|
|
Mathematical algorithms used for Encryption and Decryption. |
|
|
A suite that specifies the Ciphers that may be used for a session. |
|
|
A function that takes characters (such as a password) and mathematically converts them to a Hash value. |
|
|
The process of translating Encrypted data back to its original form. Users Encrypting and Decrypting the data must have access to secret encryption keys. |
|
|
The process of converting data into secret code to make it unreadable except by the intended recipient(s). Encryption usually employs symmetric and/or asymmetric algorithms. |
|
|
Reference to data encrypted on physical media. |
|
|
The encryption of data during transmission. |
|
|
Hash |
An encrypted bit array that cannot be Decrypted. Hashing is considered a one-way encryption. |
|
Symmetric Encryption |
A type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information. The entities communicating via symmetric encryption must exchange the key so that it can be used in the decryption process. Symmetric Encryption is generally faster than Asymmetric Encryption. |
|
System Custodian |
An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties. |
|
System Steward |
An individual responsible for the service management of a University-owned system such as a workstation, server, router, switch, printer, controller, other network-attached device, or application. They may create and enforce management and access policies. They are often referred to as Business Owners or Service Owners. |
|
Transport Layer Security (TLS) |
An Internet Engineering Task Force (IETF) standard protocol that provides authentication, privacy, and data integrity between two communicating computer applications. |
2. Acronyms
|
ISO |
Information Security Office |
|---|---|
|
NIST |
National Institute of Standards and Technology |
|
TLS |
Transport layer security |
|
WWU |
Western Washington University |
3. Introduction
The Information Security Office (ISO) of Western Washington University (University) is responsible for providing guidance on data Encryption. Encryption protects the confidentiality of digital data either stored on media (Encryption at Rest) or transmitted through a network such as the Internet (Encryption in Transit). Encryption protects confidentiality by ensuring data is unreadable if accessed by an unauthorized user or process. It serves as a foundational defense against many different risk scenarios such as communications eavesdropping, device theft, and malicious or accidental unauthorized data access.
Encryption uses an algorithm to transform plaintext information into a non-readable form called ciphertext. In simpler terms, Encryption takes readable data and alters it so that it appears random. When the intended recipient accesses the message, the information is translated back to its original form, in a process called Decryption. To unlock the message, both the sender and the recipient must use either a shared secret key (Symmetric ) or a Private/Public key pair (Asymmetric Encryption). Data that is not intended to be decrypted, such as passwords, are encrypted using a one-way Cryptographic Hash Function.
4. Compliance
OCIO 141.10: 4.3(1), 4.4
To comply with federal, state, and University regulations/policies, Encryption may be required on assets and networks that store, process, or transmit University digital data. Examples of devices storing and processing data include servers, workstations, mobile devices, portable media, switches, routers, wireless access points, other networking equipment, Internet of Things (IoT) devices, and applications. Examples of networks include wired and wireless networks, both private and public (e.g., the Internet).
4.1 Encryption at Rest
OCIO 141.10: 4.3(1)
The University requires Encryption at Rest for any University Confidential Information (Category 3 or 4) and is also recommended for any non-Confidential Data (Category 1 or 2). Encryption at Rest is particularly important when storing confidential data on mobile devices (e.g., phones, tablets, laptops) or on physical media (thumb drives, CDs/DVDs, hard drives) that are not in a secured space.
4.2 Encryption in Transit
OCIO 141.10: 4.4
The University requires Encryption in Transit for University confidential data. Encryption in Transit is also required for access to all University data (including non-confidential data) from the Internet.
5. Cryptographic Standards
OCIO 141.10: 4.3,4.4
Data Encryption at Rest or Encryption in Transit must be protected by strong protocols and cryptographic Cipher Suites. The National Institute for Standards and Technology (NIST) Cryptographic Standards and Guidelines publication outlines secure Internet protocols (TLS versions) and Cipher Suites acceptable for Encryption of University data.
6. Verification of Encryption Strength for Data in Transit
OCIO 141.10: 1.3
The ISO’s vulnerability management program shall test the cryptographic strength of new web applications prior to deployment in production. They shall also scan existing web applications on a rotating schedule to confirm that they meet the cryptographic standards outlined in this document. Any findings shall be sent to the responsible Custodians and Stewards for remediation.
7. Approved Storage Locations for Confidential Data
The University’s business systems (e.g., Banner, Millennium, Argos, OnBase, PageUp and Microsoft Office 365 environment (e.g., email, OneDrive, SharePoint, Teams) support the University’s Encryption at Rest and Encryption in Transit requirements and are pre-approved for storage of confidential data. Confidential data stored outside of University business systems or outside the Office 365 environment should be reviewed by the University’s ISO to ensure the data is protected in accordance with this Encryption guideline.
8. Exceptions to Encryption Guidelines
Exceptions for encryption guidelines can be made if compensating security controls are in place and if the ISO reviews the exception.
9. Authority
- University policy POL-U3000.07: Securing Information Systems
- Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
10. References
- NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST Cryptographic Standards and Guidelines
- Information Technology Services guideline ITS GDL-3000.07C: Data Classification Guideline
Change Log
| Version | Author | Approver | Change | |
|---|---|---|---|---|
|
10/17/2022 |
1.0 |
Beth Albertson |
ITS Standards & Guidelines Committee |
Original Version |