William & Mary
Close menu Resources for... William & Mary
Popular Topics
Suggested Results
News Events
Apply Visit Request Info
W&M menu close William & Mary
Compliance & Equity
Policy Library

Data Encryption Standard

Title: Data Encryption Standard
Responsible Office: Information Security Office

Encryption, when combined with appropriate access controls, is an important technology for protecting the confidentiality and integrity of William & Mary's data. The following guidelines help illustrate when encryption is necessary for protecting sensitive university data. If assistance is needed to facilitate the use of encryption technologies, contact the Information Security Office at 757-221-1822.  

I. Scope 

These guidelines apply to all devices storing or transmitting university data. 

Requirements
  1. Transmission:
    • Sensitive data must be transmitted using encryption.
    • Passwords for university accounts should always be transmitted using encryption.
    •  It is recommended but not required that encryption be used when transmitting any data not intended for public use. 
  2. Storage:
Implementation Guidance 

Transmission 

  1. File transfers

Encrypted file transfers can be done using an encrypted transmission protocol or service such as sftp or scp. If an unencrypted mechanism is used to transfer a file containing sensitive data, the file must be encrypted before being transferred. Information Technology provides sftp and scp access to the personal file space for all faculty, staff, and students. Sftp access is available for shared storage space.  

2.     Web Applications

Sensitive data communicated between a web application and the client machine should be encrypted using TLS/SSL or other secure protocols. 

3.     Remote Sessions

Remote sessions to machines storing sensitive data must be encrypted through the use of secure protocols or applications (TLS/SSL, SSH). Remote sessions that are authenticated using university credentials must be encrypted. 

4.     Email 

Email is not considered a secure method for sharing sensitive data. W&M has clear rules prohibiting this. End users are instructed to contact Information Technology if assistance is needed with transferring secure files. 

5.     Virtual Private Network

W&M provides a VPN that can provide encrypted access to services that don't offer encryption services natively. VPN access is available upon request.  

Storage              

  1. Whole Disk Encryption 

Encryption of sensitive data stored on portable devices (laptops, PDAs, phones) should be done using whole disk encryption when technically feasible. In the absence of whole-disk encryption, file-based encryption should be used. 

  1. File encryption 

File-level encryption of sensitive data is appropriate when files must be sent using an unencrypted transport method or when storing sensitive data on portable media (USB drives, CDs, tapes).