EA-POL-015 Enterprise Architecture - Encryption Policy

Transcription

1 Technlgy & Infrmatin Services EA-POL-015 Enterprise ure - Encryptin Plicy Authr: Craig Duglas Date: 17 March 2015 Dcument Security Level: PUBLIC Dcument Versin: 1.0 Dcument Ref: EA-POL-015 Dcument Link: cntent/uplads/sites/4/2015/03/ea-pol-015-enterprise- ure-encryptin-plicy.pdf Review Date: March 2016

2 EA-POL-015 Enterprise ure - Encryptin Plicy Purpse The purpse f this plicy is t prvide Plymuth University with guidance n the use f encryptin t prtect the Universities infrmatin resurces that cntain, prcess r transmit infrmatin classified as standard r restricted. Audience The intended audience fr this plicy are all Plymuth University emplyees, students and ther affiliated partners, including cntractrs. Scpe This plicy applies t all Plymuth University emplyees, students and ther affiliated partners, including cntractrs where they are wrking with, prcessing, string r mving University data assets. It addresses encryptin plicy and cntrls fr standard and restricted data that is at rest (including prtable devices and remvable media), data in transit (transmissin security), and encryptin key standards and management. Plicy Encryptin Strength Plymuth University will use FIPS validated technlgies (e.g. Advanced Encryptin Standard (AES), Triple Data Encryptin Standard (3DES) 1 (Triple Data Encryptin Algrithm (TDEA)), etc.) technlgies fr encrypting infrmatin classified as standard r restricted data under the Plymuth University Data Classificatin and Management Plicy (EIM-POL-001), unless dcumented thrugh an exceptin prcess. Symmetric cryptsystem key lengths must be at least 192 bits r strnger fr bth standard and restricted data. Asymmetric cryptsystem keys must be f a length that yields equivalent strength (e.g. the US Natinal Institute fr Science and Technlgy (NIST) states that an apprximate equivalencies f 256 bit symmetric = bit asymmetric length 2 ). T cmply with this plicy: All encryptin mechanisms implemented t cmply with this plicy supprt a minimum f but nt limited t AES 192-bit encryptin. The use f prprietary encryptin algrithms are nt allwed fr any purpse, unless reviewed by qualified experts independent f the vendr in questin and apprved by the Plymuth University Enterprise Security. Plymuth University s key length requirements will be reviewed annually and upgraded as technlgy allws. Data at Rest Hard drives which d nt benefit frm full disk encryptin may have encrypted partitins, the remainder f the disk maybe be lgically separated but remain unencrypted, r may cnnect (r munt) ther unencrypted devices. This culd lead t infrmatin leakage between the secured and unsecured areas and will ptentially disclse vulnerable infrmatin if interrgated. The hard drives unencrypted aut-recvery flder may retain unencrypted versins r fragments f files that have been saved t the encrypted prtin f the disk r USB. The use f full disk encryptin avids this prblem, and is currently the nly suitable slutin apprved by Plymuth University. 1 Three 64 bit keys are used, instead f ne, fr an verall key length f 192 bits (the first encryptin is encrypted with secnd key, and the resulting cipher text is again encrypted with a third key) 2 NIST Special Publicatin Recmmendatin fr Key Management Part 1: General (Revisin 3). Barker, Barker Burr, Plk and Smid. Page 2 f 6

3 EA-POL-015 Enterprise ure - Encryptin Plicy Systems that are likely t hld infrmatin, which is classified as standard r restricted and wned r cntrlled by Plymuth University, must be prtected at rest by: Full disk encryptin Firewalls with strict auditable access cntrl that authenticates the identity f individuals accessing the data. Cmplex passwrd prtectin, as defined in Plymuth University Infrmatin Security Plicy Supprting Dcumentatin SEC-GDL-003 University Accunt Passwrds 3, shuld be used in cnjunctin with encryptin and access cntrl. Passwrd cntrl alne is nt an acceptable alternative t prtecting standard r restricted infrmatin. Backup slutins, irrespective f media and lcatin must be prtected using at least AES 192-bit algrithm based encryptin techniques. All cmputer hard drives r ther strage media that have been encrypted r nt shall be sanitised prir t resale r destructin in accrdance with the Data Destructin Plicy and assciated standard. Prtable Devices Prtable devices represent a specific categry f device that cntain data-at-rest. A large prprtin f infrmatin security incidents invlving unauthrised expsure f restricted data are as a result f lst r stlen prtable cmputing devices. The best way t prevent these incidents is t avid string standard r restricted data n such devices. Restricted data must nt be cpied r stred n a prtable r nn-university wned cmputing device. Hwever, in practice, where a secured remte cnnectin t a University device is nt suitable, the use f encryptin techniques will reduce the risk f unauthrised disclsure in the event f lss r theft. When standard r restricted data is t be stred n prtable cmputing equipment (including but nt limited t laptps, tablets, smart phnes, external hard drives, USB keys etc.): Permissin must be btained by the infrmatin wner t d s The devices in questin must be encrypted using methds and prducts apprved by Plymuth University Enterprise Security. The devices in questin, where apprpriate, must have additinal security mechanisms in place such as firewall, anti-virus/anti-malware, prper passwrd prtectin, be fully security patched fr all resident sftware and have unnecessary services and cmmunicatin prts and prtcls switched ff. Remvable media, including but nt limited t ptical disks, USB memry drives, tape etc. must be encrypted and stred in a secure lcked lcatin. Transprtatin f remvable media by a 3 rd party must be dne in a secure manner and a data handling audit trail must be recrded. Prtable media cntaining standard r restricted infrmatin must be in the pssessin f an authrised user at all times (e.g. must nt be checked in with luggage during transit). 3 University-Accunt-Passwrds.pdf Page 3 f 6

4 EA-POL-015 Enterprise ure - Encryptin Plicy The recipient f the remvable media must be identified t ensure the persn requesting the data is the ne claimed. Plymuth University will audit encrypted devices and validate implementatin f encryptin prducts at regular intervals. These devices must nt be used fr lng-term strage f such data, when the data has been prcessed it is the users respnsibility t ensure it has been deleted frm the strage media. Transmissin Security Users will fllw the Plymuth University Enterprise ure Plicy Data Transfer (EA-POL-012) when transmitting data and must take particular care when transmitting r re-transmitting restricted infrmatin. Infrmatin wned by 3 rd parties must nly be transmitted with the wners apprval and is subject t any additinal plicies they may have in place. Standard r restricted infrmatin transmitted by must be encrypted, with the apprpriate passwrd being delivered using a different medium. Standard r restricted infrmatin transmitted thrugh a public netwrk must be encrypted r transmitted thrugh an encrypted tunnel, such as a SSL r IPSec secured Virtual Private Netwrk (VPN). Transmitting unencrypted restricted infrmatin thrugh the use f web sftware is nt permitted. Sharing standard r restricted infrmatin ver Peer-t-Peer (P2P) file-sharing prgrams requires specific authrisatin in writing frm bth the University Data Prtectin Officer and Enterprise Security ; this will be reprted t the Chief Infrmatin Officer fr sign ff befre transmissin can start. Wireless transmissin (Wi-Fi) used t access Plymuth University prtable cmputing devices r internal netwrks must be encrypted using IEEE i WPA2 (AES) r better. Plymuth University permits the secure encrypted transfer f infrmatin ver the Internet using file transfer prgrams such as Secured File Transfer Prtcl (SFTP ver Secure Shell (SSH)) and Secure Cpy (SCP). Only authrised devices may perfrm the SSH/SCP peratins, these must be maintained by Technlgy and Infrmatin Systems and are fr the use f authrised users nly and are subject t the fllwing cnditins: Annymus FTP is nt permitted. Standard FTP is nt encrypted and must nt be used n any Internet facing systems r where standard r restricted data is being transmitted. All accunts and keys must be stred and managed frm within the Plymuth University netwrk All transactins and transfers must be lgged, and reviewed fr prhibited activity All files cntained within the managed system r users prfile must be deleted within seven days after they are delivered r made available fr retrieval. Encryptin Key Management Effective key management is essential fr ensuring the security and cmpliance f any encryptin system. Key management prcedures must ensure that authrised users can access and decrypt all encrypted data using cntrls that meet peratinal needs and cmply with data retentin requirements. Plymuth University key management systems will: Page 4 f 6

5 EA-POL-015 Enterprise ure - Encryptin Plicy Use prcedures that enfrce least privilege cncepts and prmte separatin f duty fr supprt persnnel. Have verifiable backup slutins fr Key passwrds, files and ther related backup cnfiguratin data Ensure keys will be transmitted securely nly when the requestr is authrised t receive them and has been identified as that individual. Adpt key management tls which are fully autmated, staff must nt have the pprtunity t expse the key r influence its creatin Make prvisin such that keys in strage and transit must themselves be encrypted. Private keys must be kept cnfidential Keys must be randmly generated using hardware based randmisatin Key used fr the encrypting f ther keys must be maintained separately frm data keys A cmplete audit trail f all key management activities must be maintained and stred securely as defined in the Recrds Retentin Data Strage Schedule. Exceptin Management Exceptins t this plicy may be granted using the Enterprise ure Waiver Prcess and will be cnsidered by the Enterprise Security n merit, risk t University classified standard r restricted infrmatin, as well as alignment with the verall security architecture. Failure t cmply with this plicy may lead t the slutin architecture being rejected during Enterprise ure review, returned fr rewrk r placed n hld. In circumstances where failure t cmply leads t a breach f infrmatin security r f significant risk f the same, disciplinary actin may be taken due t the terms f emplyment being breached. In additin, any systems cnfigured in a manner that cntravenes this plicy and ther related plicies will be disabled pending investigatin. Supprting Dcumentatin This plicy is supprted by established Enterprise ure dcuments, namely: Enterprise ure Principles - Principle 8: Data Security Security must be designed int data elements frm the beginning; it cannt be added later. Systems, data, and technlgies must be prtected frm unauthrised access and manipulatin. Vice Chancellr s Executive infrmatin must be safeguarded against inadvertent r unauthrised alteratin, sabtage, disaster, r disclsure. Enterprise ure Principles - Principle 9: Data is an Asset Accurate, timely data is critical t accurate, timely decisins. Mst crprate assets are carefully managed, and data is n exceptin. Data is the fundatin f ur decisin-making, s we must als carefully manage data t ensure that we knw where it is, can rely upn its accuracy, and can btain it when and where we need it, in ding s data assets can prvide additinal value t academic and research endeavrs. Page 5 f 6

6 EA-POL-015 Enterprise ure - Encryptin Plicy Enterprise ure Principles - Principle 10: Data is Shared Data where applicable, will be available externally t the enterprise. This will affrd bth rich service prvisin als the ability t perfrm research cllabratively with partners. Enterprise ure Principle Principle 11: Data is Accessible Wide access t data leads t efficiency and effectiveness in decisin-making, and affrds timely respnse t infrmatin requests and service delivery. Using infrmatin must be cnsidered frm an enterprise perspective t allw access by a wide variety f users. Staff time is saved and cnsistency f data is imprved. Enterprise ure Principles Principle 17: Data will be Analysable Data assets prvide invaluable infrmatin t the enterprise fr research and business intelligence decisin-making when gathered, stred and accessed crrectly. EA-POL-012 Enterprise ure Plicy Data Transfer Secure prtcls will always be used in preference ver unsecured prtcls fr data transmissin. If n secured prtcl is available then a secured tunneling (IPSec r SSL VPN) technique must be utilised t prevent infrmatin being transmitted in plain sight f netwrk users. SEC-GDL-003 University Accunt Passwrds University passwrd requirements EIM-POL Data Classificatin and Management Plicy 3. Assigning classificatin levels Dcument Cntrl Versin Authr Psitin Details Date/Time Apprved by Psitin Date/Time 0.1 Craig Duglas Enterprise Initial Dcument 18 September Craig Duglas Enterprise Update fllwing EAP 13 Octber 2014 Review 0.3 Craig Duglas Enterprise Updated Template 14 January Paul Ferrier Enterprise Security 1.0 PW, AH, GB, CD, PF IT Directr, HS, EA Updated a number f links Apprved plicy 12 February March 2015 Paul Westmre IT Directr 13/03/ :25 Page 6 f 6