Encryption when combined with appropriate access controls is an important technology for protecting the confidentiality and integrity of William & Mary data. The following guidelines help illustrate when encryption is necessary for protecting sensitive university data. If assistance is needed to facilitate the use of encryption technologies contact the Information Security Office at 757-221-1822.
These guidelines apply to all devices storing or transmitting university data.
- Transmission :
- Sensitive data must be transmitted using encryption.
- Passwords for university accounts should always be transmitted using encryption.
- It is recommended but not required that encryption be used when transmitting any data not intended for public use.
- Sensitive data must be encrypted if stored on a portable device.
- File transfers
Encrypted file transfers can be done by using an encrypted transmission protocol or service such as sftp or scp. If an unencrypted mechanism is used to transfer a file containing sensitive data, the file must be encrypted before being transferred. Information Technology provides sftp and scp access to the personal file space for all faculty, staff, and students. Sftp access is available for shared storage space.
2. Web Applications
Sensitive data communicated between a web application and the client machine should be encrypted using TLS/SSL or other secure protocols.
3. Remote Sessions
Remote sessions to machines storing sensitive data must be encrypted through the use of secure protocols or applications (TLS/SSL, SSH). Remote sessions that are authenticated using university credentials must be encrypted.
Email is not considered a secure method for sharing sensitive data. W&M has clear rules prohibiting this. End users are instructed to contact Information Technology if assistance is needed with transferring secure files.
5. Virtual Private Network
W&M provides a VPN that can provide encrypted access to services that don’t offer encryption services natively. VPN access is available upon request.
- Whole Disk Encryption
Encryption of sensitive data stored on portable devices (laptops, PDAs, phones) should be done using whole disk encryption when technically feasible. In the absence of whole disk encryption, file based encryption should be used.
- File encryption
File level encryption of sensitive data is appropriate when files must be sent using an unencrypted transport method or when storing sensitive data on portable media (USB drives, CDs, tapes).