ITS Security Policy 109 - Encryption

Summary

This policy establishes encryption standards for Clackamas Community College to protect sensitive data at rest and in transit. It mandates the use of industry-recommended encryption protocols, secure key management, and email and wireless encryption, with exceptions requiring CIO approval.

Body

Status: TDX Submitted Draft
Last Revision Date: 13 July 2022

Statement of Purpose

Data encryption ensures the confidentiality and integrity of data. The use of symmetric, asymmetric, and hashing algorithms in accordance with industry best practices and applicable laws/regulations can prevent data loss or render it meaningless to attackers. Public Key Infrastructure (PKI) mechanisms provide a means for verifying data ownership and a secure method for exchanging encryption private keys.

Policy Summary

All Clackamas Community College-controlled sensitive data shall be stored (at rest) using encryption standards that meet or exceed industry recommendations or those required by law or regulation. Controlled sensitive data in transit shall be encrypted to similar standards when traversing networks that are routable to external networks (e.g., the internet). Encryption of data in transit over networks that are physically isolated from external networks, such as a Storage Area Network (SAN), shall not be required unless otherwise mandated by applicable law, regulation, or security concerns related to physical accessibility.

This policy is subject to and superseded by applicable regulations and laws.

Policy

Public Key Infrastructure Certificates ("certs")

  1. Security certificates shall be used to confirm identity, secure communications, and ensure data integrity.

  2. Certificates signed by a well-known certificate authority shall be required on all publicly accessible technology resources, including web pages, portals, file transfer servers, and VPN endpoints.

  3. Technology resources accessible only to college personnel and restricted to Clackamas Community College’s local area network (LAN) may use certificates signed by either a well-known certificate authority or the College’s local certificate authority.

  4. Resources strictly for ITS staff and confined to the LAN may use self-signed certificates.

  5. Clackamas Community College employees shall procure and install certificates for all first-party hosted systems.

  6. Employees shall endeavor to procure certificates for third-party hosted systems that require them, ensuring they are purchased from a well-known certificate authority.

  7. To the greatest extent possible, all certificates shall be purchased from the same well-known certificate authority.

  8. Requests for certificates that do not meet policy requirements may be denied or revoked.

Keys

  1. Cryptographic keys shall be generated, accessed, distributed, rotated, stored, and disposed of securely in compliance with legal and regulatory requirements.

  2. Documentation for customers exchanging keys with Clackamas Community College shall include relevant portions of these policies and procedures.

  3. Keys used for encryption and decryption shall be restricted to authorized custodians approved by the CIO, with maintained access audit trails.

  4. Keys shall be changed when necessary to maintain encryption integrity or when required by law or regulation:

    • Suspicious activity: Any security concerns related to the existing key shall trigger a key change.

    • Resource changes: Keys shall be changed or revoked if a resource with key access terminates employment or transitions to a role no longer requiring access.

    • Technical issues: Keys shall be changed if corruption, instability, or vulnerabilities affect their security.

  5. Retired keys shall be disposed of per the Data Retention and Disposal Policy.

  6. Backup copies of all keys shall be stored using removable media and/or offsite storage in a secure container. Access shall be restricted to authorized personnel, and an access log shall be maintained.

    • Exception: Encryption keys for single-user workstations are excluded, as Microsoft BitLocker keys are recoverable via Active Directory.

Email Transmission of Controlled Sensitive Data

  1. Controlled sensitive data shall never be sent unencrypted via email.

  2. Employees with a valid business need to email controlled sensitive data shall use sanctioned email encryption software.

Encryption of Wireless Networks

  1. All wireless networks at Clackamas Community College facilities shall be protected using industry-standard encryption with a minimum strength of 128 bits.

Data at Rest

  1. Enterprise databases containing controlled sensitive data shall be encrypted using industry-standard encryption or as required by law/regulation.

  2. Controlled sensitive data shall not be stored on third-party systems, such as Microsoft OneDrive or Google Drive, without prior approval from the Clackamas Community College CISO and a security audit to ensure compliance with applicable regulations.

  3. Disk encryption shall be enforced on all Clackamas Community College-owned mobile computing devices with local data storage capabilities.

  4. Encryption keys for Clackamas Community College-owned mobile computing devices shall not be associated with user accounts and must be securely stored on the device’s Trusted Platform Module (TPM).

  5. Mobile devices without a TPM shall not be used for functions requiring access to non-public Clackamas Community College resources when outside the LAN.

  6. Removable media shall be encrypted per the Paper and Electronic Media Policy.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

 

Details

Details

Article ID: 144645
Created
Wed 6/29/22 4:56 PM
Modified
Thu 3/6/25 7:00 PM