Purpose
This policy aims to establish the types of devices and media that need to be encrypted when encryption must be used and the minimum standards of the software used for encryption.
Audience
The Salish Kootenai College Encryption Policy applies to individuals responsible for the setup or maintenance of Salish Kootenai College encryption technology.
- Policy
- It is the policy of the College that any encryption performed on college systems must use proven standard algorithms, and such encryption must permit properly designated college officials, when required and authorized, to decrypt the information.
Exceptions to this policy will be handled per the Information Security Policy. In emergency cases, actions may be taken by the Incident Response Team per the procedures in the Incident Response Plan. These actions may include rendering systems inaccessible.- Salish Kootenai College IT Services must approve all encryption technologies and techniques used by Salish Kootenai College.
- Salish Kootenai College IT Services is responsible for the distribution and management of all encryption keys other than those managed by Salish Kootenai College.
- All use of encryption technology should be managed in a manner that permits properly designated Salish Kootenai College personnel to promptly access all data, including for investigation and business continuity.
- Only encryption technologies approved, managed, and distributed by Salish Kootenai College IT may be used in connection with Salish Kootenai College Information. Resources other than those managed by Salish Kootenai College.
- Salish Kootenai College IT Services will create and publish the Salish Kootenai College Encryption Standards, which must include, at a minimum:
- The type, strength, and quality of the encryption algorithm are required for various levels of protection.
- Key lifecycle management, including generation, storing, archiving, retrieving, distributing, retiring, and destroying keys.
- All Salish Kootenai College information classified as confidential must be encrypted when:
- Transferred electronically over public networks.
- Stored on mobile storage devices.
- Stored on laptops or other mobile computing devices.
- At rest, i.e. stored on a server or cloud platform and not being accessed. This includes backup files.
- The use of proprietary encryption algorithms is not permitted unless approved by Salish Kootenai College IT Services.
- The use of encryption for any data transferred outside of the United States must be formally approved by Salish Kootenai College IT Management before transfer.
- It is the policy of the College that any encryption performed on college systems must use proven standard algorithms, and such encryption must permit properly designated college officials, when required and authorized, to decrypt the information.
References
- ISO 27002: 10, 14, 18
- NIST CSF: PR.DS
- Information Classification and Management Policy
- Encryption Standard
History:
Approved: 3/17/2023