IT Security Standard: Encryption

Introduction:

Encryption controls are used to protect the confidentiality and integrity of sensitive information. The purpose of this policy is to provide requirements for the proper use and management of encryption technologies designed to protect Bowdoin College data. 

Related Policy:

Scope:

This policy applies to all Bowdoin College information systems in all facilities that process, store, or transmit sensitive information. This policy applies to all personnel tasked with maintaining these information systems and are tasked with ensuring encryption mechanisms are employed and perform as intended.

Standard:

Data at Rest

Data at rest refers to information that is not being actively processed, handled, or transmitted; it is simply being stored. Bowdoin College must ensure that all information systems that are used to store sensitive data are protected at rest by using encryption mechanisms. Examples where encryption should be used include but are not limited to:

  • Backups – Includes backup hard drives, CD/DVD/BLU-RAY, tape backups, etc.
  • Laptops & Workstations – Hard disc drives (HDDs) and solid-state drives (SSDs).
  • Mobile devices – phones, tablets, etc.
  • Servers – HDDs and SSDs
  • Storage devices – Network attached storage (NAS), Direct attached storage (DAS), Storage Area Networks (SAN), and other similar devices and technologies should be encrypted to protect sensitive data
  • Portable storage – Flash media, pen drives, etc.
  • Databases – Database encryption mechanisms should be leveraged to provide additional protection against access to sensitive information if a system becomes compromised
  • Files/folders – File and folder level encryption should be leveraged as necessary to protect specific files or folders that contain sensitive information.

Data in Transit

Data in transit refers to information that is in motion or being sent (transmitted) from a source to a destination. When transmitting sensitive information Bowdoin College must ensure that encryption mechanisms are used to encrypt either the data, or the transport protocol. Examples where encryption must be used when transmitting sensitive information include but are not limited to:

  • Email – Encrypting the text and/or the attachments of an email message.
  • Internal network traffic – Encrypted traffic between different internal networks, systems, or devices that does not leave organizational network boundaries or perimeters.
  • External network traffic – Encrypted traffic between Bowdoin College and an external entity.
  • Virtual Private Network (VPN) – Using encrypted network tunneling protocols to extend the enterprise network, or services hosted on the enterprise network, across a public network such as the internet.
  • Web services – Any services hosted on a website or web-based application between the client (a user, information system or service) and the host (typically the web server/application).

Standards/levels of encryption

The strength of encryption used (encryption protocol, key length, etc.) must correspond with the sensitivity of the data transmitted –more sensitive data, the stronger the encryption requirements.

Encryption levels and standards must be periodically reviewed to ensure continued compliance with applicable legal obligations associated with the data such as with existing contracts, or legal and regulatory requirements for various types of sensitive data.

If public key certificates are used for a client facing service, they must be obtained from an approved certificate service provider. Bowdoin currently uses Sectigo, Digicert and AWS as our certificate service provider(s). Sectigo should be used as the primary provider unless there is a technical reason it will not work effectively.

Key Management

Key management processes and procedures must be centrally managed by the the IT Department responsible for the encryption. Their role is to securely create, store, revoke, renew, and dispose of encryption keys.

  • Creation – Keys must be created on an appropriate system that is not used for day-to-day activities. Keys must be created using appropriate instruction and according to documented standards for their intended use.
  • Storage – Encryption keys must be stored in a secured system or application that is separate from the system on which they are used. If they are ad-hoc keys and not centrally managed, they should be stored in 1Password.
  • Revocation – Encryption keys must be revoked when encryption keys or encryption systems become compromised, have expired, or when keys need to be altered or manipulated.
  • Renewals - Encryption keys must be tracked and monitored to ensure renewals are conducted in a timely and controlled fashion.
  • Disposal – Encryption keys and key management systems must be disposed of in according to Bowdoin College data destruction standards for sensitive information.

Reviews & Approval

This standard will be maintained by Bowdoin College’s Information Security Officer. The standard will be reviewed and updated (if necessary) at least annually.  In addition, the standard should be reviewed/updated when significant personnel changes occur, and/or to incorporate lessons learned as part of the incident response process.

Responsibilities: 

Senior Officers - Responsible for making a final review and approval of this standard.

Chief Information Officer - Responsible for reviewing and approving this standard prior to Senior Officers. The CIO must report all compliance-related activities pertaining to this policy to the Senior Officer team.

Information Security Officer - Responsible for creating related procedures to meet these established requirements as outlined in this standard. The ISO must report all matters pertaining to compliance with this policy to the Chief Information Officer.

System Administrator(s) -  - Responsible for managing the day-to-day operation of the computer system(s) within a department that support the business of the College and implements these standards. These support functions may include any or all of the following functions: database management, software distribution and upgrading, user profile management, version control, backup & recovery, virus protection and performance and capacity planning.

Non-Compliance and Exceptions:

If a Bowdoin College information system cannot be configured to use appropriate encryption, an exception must be documented, receive business and IT security approval.

Implementation

EFFECTIVE DATE: 11/2/2020
REVIEW FREQUENCY: Annual
RESPONSIBLE OFFICER: Chief Information Officer

Details

Article ID: 119492
Created
Mon 11/2/20 9:40 AM
Modified
Mon 11/2/20 4:46 PM