Technology Standard

Data Protection - Encryption

Version: 1.0
Status: Approved: 02/21/07
Contact: Director, Technology Services

PURPOSE

To provide guidelines necessary to implement System Office and College IT systems encryption standards and procedures.

In accordance with the COV ITRM 501-01, Encryption document the security related activities that must be adhered to in each phase of the development life cycle for System Office and College IT systems.

The Encryption Security Standard is applicable to the System Office and all Colleges.

Encryption is an effective way to achieve data security. The System Office and Colleges should utilize encryption controls that commensurate with the sensitivity and risk of the data.

Requirement:

The System Office and Colleges should define and document practices for selecting and deploying encryption technologies. This may be as simple as researching the most recent software available in the current market. Deployment is dependent on the type of software selected, the system affected, and the appropriate time frame available to provide the least interruption to System Office or College personnel.

Requirement:

The System Office and College should provide technical training required to users on the proper use of encryption products.

Requirement:

Appropriate processes should be documented prior to implementing encryption:

• The System Office and College Incident Response Plan should include instructions on how the response is handled when keys are compromised.
• Administration and distribution of encryption keys should be done via a secure key management system.
• Encryption keys should only be generated through an approved encryption package.
• Encryption keys should be securely stored.

Return to Information Security Program