Data Encryption Standard

Encryption when combined with appropriate access controls is an important technology for protecting the confidentiality and integrity of College data.  The following guidelines help illustrate when encryption is necessary for protecting sensitive College data.  If assistance is needed to facilitate the use of encryption technologies contact the Information Security Office at 757-221-1822.  

Scope 

These guidelines apply to all devices storing or transmitting College data. 

Requirements: 

  1. Transmission :
    • Sensitive data must be transmitted using encryption.
    • Passwords for College accounts should always be transmitted using encryption.
    •  It is recommended but not required that encryption be used when transmitting any data not intended for public use. 
  2. Storage:

Implementation Guidance 

Transmisson 

  1. File transfers

Encrypted file transfers can be done by using an encrypted transmission protocol or service such as sftp or scp. If an unencrypted mechanism is used to transfer a file containing sensitive data, the file must be encrypted before being transferred.  Information Technology provides sftp and scp access to the personal file space for all  faculty, staff, and students.  Sftp access is available for shared storage space.  

2.     Web Applications

Sensitive data communicated between a web application and the client machine should be encrypted using TLS/SSL or other secure protocols. 

3.     Remote Sessions

Remote sessions to machines storing sensitive data must be encrypted through the use of secure protocols or applications (TLS/SSL, SSH).  Remote sessions that are authenticated using College credentials must be encrypted. 

4.     Email 

Email is not considered a secure method for sharing sensitive data.  The College has clear rules prohibiting this.  End users are instructed to contact Information Technology if assistance is needed with transferring secure files. 

5.     Virtual Private Network

The College provides a VPN that can provide encrypted access to services that don’t offer encryption services natively.  VPN access is available upon request.  

Storage              

  1. Whole Disk Encryption 

Encryption of sensitive data stored on portable devices (laptops, PDAs, phones) should be done using  whole disk encryption when technically feasible. In the absence of whole disk encryption, file based encryption should be used. 

  1. File encryption 

File level encryption of sensitive data is appropriate when files must be sent using an unencrypted transport method or when storing sensitive data on portable media (USB drives, CDs, tapes).