Cryptographic Protection (SC-13)

| Show Notes
Created August 18, 2016
Revised July 12, 2017

Description

The purpose of this Control is to provide guidance to all Texas A&M University employees regarding the use of encryption to protect the university’s information resources that contain, process, or transmit confidential information, protected health information (PHI) or controlled data (See Control RA-2, Security Categorization).

Applicability

This Control address encryption requirements for confidential information, PHI, and/or controlled data that is at rest - including portable or mobile devices and removable media regardless of ownership of the particular storage device.

The procedures in this Control also apply to confidential information, PHI, or controlled university data that is in transit. This Control is compatible with, but does not supersede or guarantee, compliance with state and federal encryption standards.

Units that create or maintain electronic data pursuant to U.S. Department of Defense (DoD) or Department of Energy (DoE) agreements must comply with federal guidelines for handling such data which may differ from this Control. Questions regarding DoD or DoE data should be directed to the Texas A&M System Facility Security Officer.

Implementation

1. This Control provides procedures and requirements for the use of encryption to protect the university’s information resources that contain, process, or transmit confidential and/or controlled data.

2. Texas A&M University owners of information resources (owners), or designees, shall identify (location and owner) and categorize data at least annually. For confidential, controlled, or mission critical categories, the location, category, and owner shall be documented. This should be accomplished in conjunction with the annual the risk assessment process (as described in the Information Security Risk Assessment Procedures (ISRAP)). The purpose of this identification and categorizing process is to determine the appropriate security controls needed to protect university data. For data that has been categorized as confidential or controlled, encryption is often the most appropriate control measure to put in place.

3. It is the responsibility of anyone who has confidential information, PHI, or controlled data in their possession, or under their direct control (e.g., manages a storage device), to ensure appropriate risk mitigation measures, such as encryption, are in place to protect such data from unauthorized exposure.

4. When encryption is used, appropriate key management procedures are crucial. Anyone employing encryption is responsible for ensuring authorized users can access and decrypt all encrypted data using controls that meet operational needs and comply with data retention requirements

5. All encryption mechanisms implemented to comply with this procedure must support a minimum of, but not limited to, AES 128-bit encryption.

5.1 The use of proprietary encryption algorithms is not allowed for any purpose unless reviewed and approved by the Chief Information Security Officer (CISO@tamu.edu) or designee.

6. Recovery of encryption keys must be part of continuity of operations with the exception of data used by a single individual (e.g., grade book archives).

Tip

For recovery purposes, store encryption keys in a password vault and maintain the ability to access the vault through multiple locations including offline media.

7. University confidential information or PHI that is stored in a public location and which is directly accessible without compensating controls shall be encrypted (see also Control RA-2 Security Categorization).

7.1 All student grade information retained longer than twelve months must be encrypted regardless of where it resides.

8. Any confidential information, PHI, or controlled data transmitted to, or from, a site that is not on the campus network (e.g., over a public network to and from vendors, customers, or entities doing business with the university) must be encrypted or be transmitted through an encrypted connection such as secure sockets layer (SSL), secure shell (SSH) or virtual private network (VPN).

8.1 Transfer of confidential information, PHI, or controlled documents and data over the Internet using secure file transfer programs (e.g., HTTPS, “secured FTP”) is permitted.

9. Confidential, PHI, or controlled data transmitted as an email message must be encrypted.

9.1 Email stores that retain email messages containing confidential information, PHI, or controlled information are not required to be encrypted as a whole. Individual messages containing confidential information, PHI, or controlled information must be encrypted.

9.2 Email messages that are transmitted within the campus network may be exempted provided all other state and federal requirements are addressed.

10. If peer-to-peer (P2P) or Instant Messaging (IM) is used to transmit confidential information, PHI, or controlled data, traffic flows between peers must be encrypted and access only allowed to manage IM servers that provide gateways to public services.

11. When retired, all computer hard drives or other storage media that have been encrypted shall be sanitized in accordance with Control MP-6, Media Sanitization.

11.1 Hard drives can be shredded by transferring them to Texas A&M University-Logistics. Specify on the E-Scrap Disposal Form that the equipment must be shredded.