ITS Security Policy 109 Encryption

Security Policy Goals [Link]

Statement of purpose

Data encryption provides protections for the confidentiality and integrity of data. The use of symmetric, asymmetric, and hashing algorithms in accordance with industry best practices and/or applicable laws and regulations can prevent the loss of data or render it meaningless to an attacker. Public Key Infrastructure mechanisms provide a means for verifying ownership of data and a means of exchange for encryption private keys. 

Scope statement

This policy applies to all controlled sensitive data for which CCC is the custodian, CCC ITS resources that store and/or transmit such data, publicly accessible technology resources, CCC owned mobile devices, and remote connectivity solutions. Accountable and responsible individuals are CCC employees that are responsible for the design, implementation, maintenance, and/or use of any of the technologies listed above.

Policy summary

All Clackamas Community College (CCC) controlled sensitive data shall be stored (at rest) using encryption standards that meet or exceed industry standard recommendations or those required by law or regulation. Controlled sensitive data in transit shall be encrypted to standards that meet or exceed industry recommendations or those required by law or regulation when traversing networks that are routable to external networks i.e. the internet Encryption of data in transit over networks that are physically isolated from external networks, such as a Storage Area Network (SAN), shall not be required unless otherwise specified by applicable law or regulation or unless the physical components of the network are accessible from insecure locations.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

Public Key Infrastructure Certificates (“certs”)

1. Security certificates shall be used to confirm identity, secure communications between parties, and ensure integrity of transmissions.
2. Certs signed by a well-known certificate authority shall be required on any publicly accessible technology resources, such as web pages and portals, file transfer servers, and VPN endpoints.
3. Technology resources accessible for college personnel only and accessible only from CCC’s local area network (LAN) may use certs signed by a well-known certificate authority or may be signed by CCC’s local certificate authority.
4. Resources strictly for use by ITS staff and confined to the LAN may use self-signed certificates
5. CCC employees shall be responsible for procuring and installing the certs used on all 1^st party hosted systems.
6. CCC employees shall endeavor to procure certs for 3^rd party hosted systems requiring certs to be purchased from a well-known certificate authority.
7. To the greatest extent possible all certs shall be purchased from the same well-known certificate authority
8. Requests for certs that do not meet the requirements in this policy may be denied or subject to revocation.

Keys

1. Cryptographic keys (“keys”) shall be generated, accessed, distributed, rotated, stored, and disposed of in a controlled and secured manner that meets or exceeds legal and/or regulatory requirements.
2. Documentation provided to customers who have a need to exchange keys with CCC shall include the relevant portions of these policies & procedures.
3. Keys used to encrypt and decrypt data shall be protected from general access. Only custodians approved by the CIO shall be granted access to the key components and access audit trails shall be maintained.
4. Keys shall be changed when circumstances dictate a change to maintain encryption or key integrity or when otherwise required by law or regulation.
   1. Suspicious activity: This change is driven by any activity related to the key process that raises concern regarding the security of the existing key.
   2. Resource change: Keys shall be changed or revoked if a resource with knowledge of the keys terminates employment or assumes a new job that no longer requires access to an encryption process.
   3. Technical requirement: Keys shall be changed if the key in place has become questionable due to a technical issue, such as corruption, instability, or vulnerability.
5. Keys no longer in service shall be disposed of in accordance with the process outlined in the Data Retention and Disposal Policy.
6. A backup copy of all keys shall be made using removable media, and/or offsite. This copy shall reside in a secure storage container at all times it is not is use. Access shall be controlled and limited to individuals with permissions to manage keys. An access log for this media shall be maintained.
   1. For the purposes of this clause encryption keys for single user workstations are excluded as Microsoft Bit locker keys are recoverable via Active Directory

Email transmission of controlled sensitive data

1. Controlled sensitive data shall never be sent unencrypted through email.
2. Employees with a valid business justification for emailing controlled sensitive data shall use sanctioned email encryption software.

Encryption of wireless networks

1. All wireless networks in use at CCC facilities shall be protected using current industry encryption standards (the encryption strength shall not be less than 128 bits).

Data at rest

1. Enterprise databases containing controlled sensitive data shall be encrypted using encryption standards that meet or exceed industry standard recommendations or those required by law or regulation.
2. Controlled sensitive data shall not be stored on 3^rd party systems, such as Microsoft OneDrive or Google Drive without first being approved by the CCC CISO and without a security audit being completed to ensure that the platform's controls adhere to legal and regulatory compliance standards for the data being stored.
3. Disk encryption shall be enforced on CCC-owned mobile computing devices with local data storage capabilities.
4. Encryption keys for CCC-owned mobile computing devices shall not be associated with user accounts and shall be stored securely on the device TPM.
5. Mobile devices without a TPM shall not be used for any function that requires access to non-public CCC resources if used outside of the LAN.
6. Removable media shall be encrypted per paper and electronic media policy.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Policy violation [Link]

Complaint procedures [Link]

Governing standards, policies, and guidelines [Link]

Definitions [Link]

Responsible executive

Chief Information Officer

Last revision date

3-2-2022 srw (Final Draft)