EA-POL-015 Enterprise Architecture - Encryption Policy

Similar documents
HIPAA HITECH ACT Compliance, Review and Training Services

GUIDANCE FOR BUSINESS ASSOCIATES

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Personal Data Security Breach Management Policy

LINCOLNSHIRE POLICE Policy Document

Data Protection Policy & Procedure

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

VCU Payment Card Policy

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Information Services Hosting Arrangements

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

DisplayNote Technologies Limited Data Protection Policy July 2014

TrustED Briefing Series:

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Unified Infrastructure/Organization Computer System/Software Use Policy

Data Protection Act Data security breach management

Session 9 : Information Security and Risk

IT Account and Access Procedure

How To Ensure That The Internet Is Safe For A Health Care Worker

First Global Data Corp.

System Business Continuity Classification

New York Institute of Technology Faculty and Staff Retention Policy

Corporate Credit Card Policy

Electronic and Information Resources Accessibility Compliance Plan

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

A. Early Case Assessment

Information & Communications Technology ICT Security Compliance Guide (Student)

Key Steps for Organizations in Responding to Privacy Breaches

CPIT Aoraki ICT Asset and Media Security Standard

ALBAN CHURCH OF ENGLAND ACADEMY COMPUTER SECURITY POLICY. Approved by Governing Body on: 6 th May 2015

IMPLEMENTATION DETAILS

Remote Working (Policy & Procedure)

Process for Responding to Privacy Breaches

FAYETTEVILLE STATE UNIVERSITY

expertise hp services valupack consulting description security review service for Linux

System Business Continuity Classification

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Norwood Public Schools Internet & Cell Phone Use Agreement School Year

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Employees - recruitment, records and monitoring

In addition to assisting with the disaster planning process, it is hoped this document will also::

CSC IT practix Recommendations

Audit Committee Charter

CSU STANISLAUS INFORMATION TECHNOLOGY PLAN SUMMARY

SaaS Listing CA Cloud Service Management

THIRD PARTY PROCUREMENT PROCEDURES

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

CORPORATE CREDIT CARD POLICY

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

State of North Carolina. Statewide Information Security Manual. Prepared by the Enterprise Security and Risk Management Office

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

OITS Service Level Agreement

Name. Description. Rationale

Supersedes: DPS Policy Internet and Use Of The DPSnet, July 14, 2000 Effective: February 15, 2005 Pages: 1 of 5

Process of Setting up a New Merchant Account

Purpose Statement. Objectives

NHVAS Mass Management Spot Check Checklist

PROTIVITI FLASH REPORT

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

BIBH Duty Statements and Governance chart reviewed and approved April BIBH Executive Governance & Management Arrangements

Information Security Policy

How To Ensure Your Health Care Is Safe

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

CHANGE MANAGEMENT STANDARD

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

ViPNet VPN in Cisco Environment. Supplement to ViPNet Documentation

Cloud Services Frequently Asked Questions FAQ

State Fleet Card Oversight Usage and Responsibilities

Internal Audit Charter and operating standards

Yur Infrmatin technlgy Security Plicy

Symantec User Authentication Service Level Agreement

RSA SecurID Software Token Security Best Practices Guide. Version 3

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Technical Writing - TheUsers Visa (SHR User Accunt)

Flash Padlock. Self-Secured and Host-Independent USB Flash Drive White Paper. April 2007 Prepared by ClevX, LLC for Corsair Memory

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

ensure that all users understand how mobile phones supplied by the council should and should not be used.

Nuance Healthcare Services Project Delivery Methodology

Managed Firewall Service Definition. SD007v1.1

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Employee Benefits Liability Policy

PENETRATION TEST OF THE FOOD COMPUTER NETWORK

AML Internet Manor Court, Manor Farm House, London Road, Derby, Derbyshire, DE72 2GR. Tel: Fax:

Password Reset for Remote Users

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Service Level Agreement

TITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents

Transcription:

Technlgy & Infrmatin Services EA-POL-015 Enterprise ure - Encryptin Plicy Authr: Craig Duglas Date: 17 March 2015 Dcument Security Level: PUBLIC Dcument Versin: 1.0 Dcument Ref: EA-POL-015 Dcument Link: http://blgs.plymuth.ac.uk/strategyandarchitecture/wp- cntent/uplads/sites/4/2015/03/ea-pol-015-enterprise- ure-encryptin-plicy.pdf Review Date: March 2016

EA-POL-015 Enterprise ure - Encryptin Plicy Purpse The purpse f this plicy is t prvide Plymuth University with guidance n the use f encryptin t prtect the Universities infrmatin resurces that cntain, prcess r transmit infrmatin classified as standard r restricted. Audience The intended audience fr this plicy are all Plymuth University emplyees, students and ther affiliated partners, including cntractrs. Scpe This plicy applies t all Plymuth University emplyees, students and ther affiliated partners, including cntractrs where they are wrking with, prcessing, string r mving University data assets. It addresses encryptin plicy and cntrls fr standard and restricted data that is at rest (including prtable devices and remvable media), data in transit (transmissin security), and encryptin key standards and management. Plicy Encryptin Strength Plymuth University will use FIPS-140-2 validated technlgies (e.g. Advanced Encryptin Standard (AES), Triple Data Encryptin Standard (3DES) 1 (Triple Data Encryptin Algrithm (TDEA)), etc.) technlgies fr encrypting infrmatin classified as standard r restricted data under the Plymuth University Data Classificatin and Management Plicy (EIM-POL-001), unless dcumented thrugh an exceptin prcess. Symmetric cryptsystem key lengths must be at least 192 bits r strnger fr bth standard and restricted data. Asymmetric cryptsystem keys must be f a length that yields equivalent strength (e.g. the US Natinal Institute fr Science and Technlgy (NIST) states that an apprximate equivalencies f 256 bit symmetric = 15360 bit asymmetric length 2 ). T cmply with this plicy: All encryptin mechanisms implemented t cmply with this plicy supprt a minimum f but nt limited t AES 192-bit encryptin. The use f prprietary encryptin algrithms are nt allwed fr any purpse, unless reviewed by qualified experts independent f the vendr in questin and apprved by the Plymuth University Enterprise Security. Plymuth University s key length requirements will be reviewed annually and upgraded as technlgy allws. Data at Rest Hard drives which d nt benefit frm full disk encryptin may have encrypted partitins, the remainder f the disk maybe be lgically separated but remain unencrypted, r may cnnect (r munt) ther unencrypted devices. This culd lead t infrmatin leakage between the secured and unsecured areas and will ptentially disclse vulnerable infrmatin if interrgated. The hard drives unencrypted aut-recvery flder may retain unencrypted versins r fragments f files that have been saved t the encrypted prtin f the disk r USB. The use f full disk encryptin avids this prblem, and is currently the nly suitable slutin apprved by Plymuth University. 1 Three 64 bit keys are used, instead f ne, fr an verall key length f 192 bits (the first encryptin is encrypted with secnd key, and the resulting cipher text is again encrypted with a third key) 2 NIST Special Publicatin 800-57 Recmmendatin fr Key Management Part 1: General (Revisin 3). Barker, Barker Burr, Plk and Smid. http://csrc.nist.gv/publicatins/nistpubs/800-57/sp800-57_part1_rev3_general.pdf Page 2 f 6

EA-POL-015 Enterprise ure - Encryptin Plicy Systems that are likely t hld infrmatin, which is classified as standard r restricted and wned r cntrlled by Plymuth University, must be prtected at rest by: Full disk encryptin Firewalls with strict auditable access cntrl that authenticates the identity f individuals accessing the data. Cmplex passwrd prtectin, as defined in Plymuth University Infrmatin Security Plicy Supprting Dcumentatin SEC-GDL-003 University Accunt Passwrds 3, shuld be used in cnjunctin with encryptin and access cntrl. Passwrd cntrl alne is nt an acceptable alternative t prtecting standard r restricted infrmatin. Backup slutins, irrespective f media and lcatin must be prtected using at least AES 192-bit algrithm based encryptin techniques. All cmputer hard drives r ther strage media that have been encrypted r nt shall be sanitised prir t resale r destructin in accrdance with the Data Destructin Plicy and assciated standard. Prtable Devices Prtable devices represent a specific categry f device that cntain data-at-rest. A large prprtin f infrmatin security incidents invlving unauthrised expsure f restricted data are as a result f lst r stlen prtable cmputing devices. The best way t prevent these incidents is t avid string standard r restricted data n such devices. Restricted data must nt be cpied r stred n a prtable r nn-university wned cmputing device. Hwever, in practice, where a secured remte cnnectin t a University device is nt suitable, the use f encryptin techniques will reduce the risk f unauthrised disclsure in the event f lss r theft. When standard r restricted data is t be stred n prtable cmputing equipment (including but nt limited t laptps, tablets, smart phnes, external hard drives, USB keys etc.): Permissin must be btained by the infrmatin wner t d s The devices in questin must be encrypted using methds and prducts apprved by Plymuth University Enterprise Security. The devices in questin, where apprpriate, must have additinal security mechanisms in place such as firewall, anti-virus/anti-malware, prper passwrd prtectin, be fully security patched fr all resident sftware and have unnecessary services and cmmunicatin prts and prtcls switched ff. Remvable media, including but nt limited t ptical disks, USB memry drives, tape etc. must be encrypted and stred in a secure lcked lcatin. Transprtatin f remvable media by a 3 rd party must be dne in a secure manner and a data handling audit trail must be recrded. Prtable media cntaining standard r restricted infrmatin must be in the pssessin f an authrised user at all times (e.g. must nt be checked in with luggage during transit). 3 http://blgs.plymuth.ac.uk/strategyandarchitecture/wp-cntent/uplads/sites/4/2014/06/sec-gdl-003- University-Accunt-Passwrds.pdf Page 3 f 6

EA-POL-015 Enterprise ure - Encryptin Plicy The recipient f the remvable media must be identified t ensure the persn requesting the data is the ne claimed. Plymuth University will audit encrypted devices and validate implementatin f encryptin prducts at regular intervals. These devices must nt be used fr lng-term strage f such data, when the data has been prcessed it is the users respnsibility t ensure it has been deleted frm the strage media. Transmissin Security Users will fllw the Plymuth University Enterprise ure Plicy Data Transfer (EA-POL-012) when transmitting data and must take particular care when transmitting r re-transmitting restricted infrmatin. Infrmatin wned by 3 rd parties must nly be transmitted with the wners apprval and is subject t any additinal plicies they may have in place. Standard r restricted infrmatin transmitted by email must be encrypted, with the apprpriate passwrd being delivered using a different medium. Standard r restricted infrmatin transmitted thrugh a public netwrk must be encrypted r transmitted thrugh an encrypted tunnel, such as a SSL r IPSec secured Virtual Private Netwrk (VPN). Transmitting unencrypted restricted infrmatin thrugh the use f web email sftware is nt permitted. Sharing standard r restricted infrmatin ver Peer-t-Peer (P2P) file-sharing prgrams requires specific authrisatin in writing frm bth the University Data Prtectin Officer and Enterprise Security ; this will be reprted t the Chief Infrmatin Officer fr sign ff befre transmissin can start. Wireless transmissin (Wi-Fi) used t access Plymuth University prtable cmputing devices r internal netwrks must be encrypted using IEEE 802.11i WPA2 (AES) r better. Plymuth University permits the secure encrypted transfer f infrmatin ver the Internet using file transfer prgrams such as Secured File Transfer Prtcl (SFTP ver Secure Shell (SSH)) and Secure Cpy (SCP). Only authrised devices may perfrm the SSH/SCP peratins, these must be maintained by Technlgy and Infrmatin Systems and are fr the use f authrised users nly and are subject t the fllwing cnditins: Annymus FTP is nt permitted. Standard FTP is nt encrypted and must nt be used n any Internet facing systems r where standard r restricted data is being transmitted. All accunts and keys must be stred and managed frm within the Plymuth University netwrk All transactins and transfers must be lgged, and reviewed fr prhibited activity All files cntained within the managed system r users prfile must be deleted within seven days after they are delivered r made available fr retrieval. Encryptin Key Management Effective key management is essential fr ensuring the security and cmpliance f any encryptin system. Key management prcedures must ensure that authrised users can access and decrypt all encrypted data using cntrls that meet peratinal needs and cmply with data retentin requirements. Plymuth University key management systems will: Page 4 f 6

EA-POL-015 Enterprise ure - Encryptin Plicy Use prcedures that enfrce least privilege cncepts and prmte separatin f duty fr supprt persnnel. Have verifiable backup slutins fr Key passwrds, files and ther related backup cnfiguratin data Ensure keys will be transmitted securely nly when the requestr is authrised t receive them and has been identified as that individual. Adpt key management tls which are fully autmated, staff must nt have the pprtunity t expse the key r influence its creatin Make prvisin such that keys in strage and transit must themselves be encrypted. Private keys must be kept cnfidential Keys must be randmly generated using hardware based randmisatin Key used fr the encrypting f ther keys must be maintained separately frm data keys A cmplete audit trail f all key management activities must be maintained and stred securely as defined in the Recrds Retentin Data Strage Schedule. Exceptin Management Exceptins t this plicy may be granted using the Enterprise ure Waiver Prcess and will be cnsidered by the Enterprise Security n merit, risk t University classified standard r restricted infrmatin, as well as alignment with the verall security architecture. Failure t cmply with this plicy may lead t the slutin architecture being rejected during Enterprise ure review, returned fr rewrk r placed n hld. In circumstances where failure t cmply leads t a breach f infrmatin security r f significant risk f the same, disciplinary actin may be taken due t the terms f emplyment being breached. In additin, any systems cnfigured in a manner that cntravenes this plicy and ther related plicies will be disabled pending investigatin. Supprting Dcumentatin This plicy is supprted by established Enterprise ure dcuments, namely: Enterprise ure Principles - Principle 8: Data Security Security must be designed int data elements frm the beginning; it cannt be added later. Systems, data, and technlgies must be prtected frm unauthrised access and manipulatin. Vice Chancellr s Executive infrmatin must be safeguarded against inadvertent r unauthrised alteratin, sabtage, disaster, r disclsure. Enterprise ure Principles - Principle 9: Data is an Asset Accurate, timely data is critical t accurate, timely decisins. Mst crprate assets are carefully managed, and data is n exceptin. Data is the fundatin f ur decisin-making, s we must als carefully manage data t ensure that we knw where it is, can rely upn its accuracy, and can btain it when and where we need it, in ding s data assets can prvide additinal value t academic and research endeavrs. Page 5 f 6

EA-POL-015 Enterprise ure - Encryptin Plicy Enterprise ure Principles - Principle 10: Data is Shared Data where applicable, will be available externally t the enterprise. This will affrd bth rich service prvisin als the ability t perfrm research cllabratively with partners. Enterprise ure Principle Principle 11: Data is Accessible Wide access t data leads t efficiency and effectiveness in decisin-making, and affrds timely respnse t infrmatin requests and service delivery. Using infrmatin must be cnsidered frm an enterprise perspective t allw access by a wide variety f users. Staff time is saved and cnsistency f data is imprved. Enterprise ure Principles Principle 17: Data will be Analysable Data assets prvide invaluable infrmatin t the enterprise fr research and business intelligence decisin-making when gathered, stred and accessed crrectly. EA-POL-012 Enterprise ure Plicy Data Transfer Secure prtcls will always be used in preference ver unsecured prtcls fr data transmissin. If n secured prtcl is available then a secured tunneling (IPSec r SSL VPN) technique must be utilised t prevent infrmatin being transmitted in plain sight f netwrk users. SEC-GDL-003 University Accunt Passwrds University passwrd requirements EIM-POL-001 - Data Classificatin and Management Plicy 3. Assigning classificatin levels Dcument Cntrl Versin Authr Psitin Details Date/Time Apprved by Psitin Date/Time 0.1 Craig Duglas Enterprise Initial Dcument 18 September 2014 0.2 Craig Duglas Enterprise Update fllwing EAP 13 Octber 2014 Review 0.3 Craig Duglas Enterprise Updated Template 14 January 2015 0.4 Paul Ferrier Enterprise Security 1.0 PW, AH, GB, CD, PF IT Directr, HS, EA Updated a number f links Apprved plicy 12 February 2015 13 March 2015 Paul Westmre IT Directr 13/03/2015 12:25 Page 6 f 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information