Encryption Security Standard



Similar documents
Virginia Commonwealth University Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

R345, Information Technology Resource Security 1

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

Information Resources Security Guidelines

Information Security Program

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Appendix A: Rules of Behavior for VA Employees

RULES GOVERNING COMPLIANCE OFFICERS OF DEALING MEMBER FIRMS 1

State HIPAA Security Policy State of Connecticut

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

FINAL May Guideline on Security Systems for Safeguarding Customer Information

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12)

Information Security Program Management Standard

Information Security Policy

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Caldwell Community College and Technical Institute

Computer Security Incident Reporting and Response Policy

III. RESPONSIBILITIES

The University of Texas Health Science Center at Houston Institutional Healthcare Billing Compliance Plan JANUARY 14, 2013

Wright State University Information Security

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Montclair State University. HIPAA Security Policy

3. Fee. You are entitled to use the Equipment without cost so long as you abide by the terms and conditions of this Agreement.

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

COUNCIL POLICY NO. C-13

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Rowan University Data Governance Policy

Information Technology Branch Access Control Technical Standard

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

MOBILE DEVICE SECURITY POLICY

INFORMATION SECURITY Humboldt State University

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

The Importance of Organizing Your SJSU Information Assets

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Security Awareness Training Policy

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

UF IT Risk Assessment Standard

Identity Theft Prevention Policy. Effective Date: January 1, Policy Statement

INFORMATION SECURITY MANAGEMENT POLICY

University of Hartford. Software Management and Compliance Guidelines

INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION

INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]

How To Write A Health Care Security Rule For A University

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

Information Security Policy

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

C.T. Hellmuth & Associates, Inc.

TABLE OF CONTENTS. University of Northern Colorado

RECORDS MANAGEMENT POLICY

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

ACCEPTABLE USE POLICY

Research Data Ownership, Retention, Access, and Security

Saint Louis University Merchant Card Processing Policy & Procedures

Policy Title: HIPAA Security Awareness and Training

Accounting and Administrative Manual Section 100: Accounting and Finance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Policy for Accepting Payment (Credit) Card and Ecommerce Payments

Top Ten Technology Risks Facing Colleges and Universities

California State University, Sacramento INFORMATION SECURITY PROGRAM

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Table of Contents INTRODUCTION AND PURPOSE 1

The Design Society. Information Security Policy

Cal Poly Information Security Program

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO TABLE OF CONTENTS

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Data Protection Breach Management Policy

INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:

Department of Veterans Affairs VA Handbook Information Security Program

CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION

Contact: Henry Torres, (870)

ARTICLE 10. INFORMATION TECHNOLOGY

Information Security Policy Manual

CMS IT - Requirements For Electronic Storage

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

ITS Policy Library Device Encryption. Information Technologies & Services

Revision Date: October 16, 2014 Effective Date: March 1, Approved by: BOR Approved on date: October 16, 2014

Transcription:

Virginia Commonwealth University Information Security Standard Title: Encryption Security Standard Scope: Approval February 22, 2012 This document provides the encryption requirements for all data generated, processed, stored, transmitted, or used by all VCU faculty, staff, students, contractors, business partners, IT service providers, and other employees on behalf of VCU. This document is not intended to be used with data that is personally owned by individual employees, where if lost or stolen, has no negative impact on VCU. Any unauthorized access or loss of VCU data or equipment containing VCU data should be reported according to the instructions defined in section VII of this standard. Effective March 1, 2012 Compliance July 1, 2013 Authority: VCU Information Security Officer Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 0.1 August 4, 2011 Initial draft complete 0.2 August 22, 2011 0.3 September 6, 2011 1.0 February 22, 2012 Reviewed by IT Directors. Modifications made to definitions. Reviewed by Technology Advisory Committee Reviewed and approved by CIO This standard supersedes the following archived standards: VCU Security Standard for Encryption February, 2008

Table of Contents Contents I. PURPOSE... 3 II. DEFINITIONS... 3 III. RESPONSIBILITIES... 4 IV. STORAGE REQUIREMENTS... 4 V. TRANSMISSION REQUIREMENTS... 4 VI. EXCEPTION REQUESTS... 5 VII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA... 5 VIII. COMPLIANCE... 5 Appendix A. Exception Request Form... 6 Page 2 of 7

I. PURPOSE This standard defines the encryption requirements for data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. This document is intended to be used by VCU Data Stewards and Data Custodians to determine the need and applicability of encryption for the data managed by these individuals II. DEFINITIONS Category I Data - All data that require breach notifications in the event of improper release as governed by Federal, State, industry regulations, and / or other civil statutes. (Please refer to the Data Classification Standards for additional information) Centrally Managed Network Storage Devices Redundant electronic storage devices that are not native or directly connected to an individual s desktop, laptop, or other computing device. The network storage device is physically hosted and managed in data center(s) which has appropriate physical access protection, monitoring, and access management controls. Locally hosted servers and storage devices, regardless of its networking capability or redundancy, will not be considered as a centrally managed network storage device. Encryption - The process or the means of converting original data to an unintelligible form so it cannot be read by unauthorized users. Fixed Storage Device Internal storage media used by a computer to store files. In a computer system, fixed storage devices are usually the computer s internal hard drive(s). Data Custodian - An individual or organization in physical or logical possession of data for data stewards. Data custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems. The data custodians are directly responsible for the physical and logical security of the systems that are under their control. Data Steward The data steward is a University director or equivalent position who oversees the capture, maintenance and dissemination of data for a particular operation. The data steward is responsible to ensure data quality, develop consistent data definitions, sensitivity classifications, determine data aliases, develop standard calculations and derivations, define security requirements, document all appropriate business rules and monitor data quality within the source system and/or data warehouse. The data steward is also responsible for communicating data protection requirements to the data custodian; defining requirements for access to the data. Laptop Computer A laptop computer is a battery or AC powered portable computing device that operates on traditional desktop operating systems such as Microsoft Windows and Mac OSX. University Owned Equipment Unless specified otherwise by the sponsoring funding source, any equipment purchased with funding allocated to the Virginia Commonwealth Page 3 of 7

University, or its employees for the purpose of education, research, and administration. III. RESPONSIBILITIES The following section delineates responsibilities of VCU employees in relation to the encryption and protection of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. VCU Technology Services is responsible to implement and maintain an enterprise encryption solution that includes disk or file based encryption for desktops and laptops. The implemented solution shall include a secure centralized management system for administration and distribution of encryption software, keys, and key escrow. B. Data stewards are responsible to adhere to the storage and transmission requirements delineated in this standard, and collaborate with data custodians on the encryption of any applicable data. C. Data custodians are responsible to adhere to the storage and transmission requirements delineated in this standard, and implement the encryption solution on IT systems used to store and transmit any applicable data. IV. STORAGE REQUIREMENTS The following section delineates the encryption requirements for the storage of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Unless stored on University centrally managed or comparable network storage devices, all Category I data must be encrypted when stored in electronic format. B. All fixed storage devices on University owned laptop computers must be encrypted with the VCU enterprise encryption solution. V. TRANSMISSION REQUIREMENTS The following section delineates the encryption requirements for the transmission of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Encryption is required for session initiation and all electronic transmission of Category I data. Page 4 of 7

VI. EXCEPTION REQUESTS Exceptions to these standards may be requested by submitting an Information Security Policy and Standard Exception Request Form to the VCU Information Security Officer according to data ownership. This form is located in the Appendix A of this document. The Information Security Officer shall have authority to approve or deny any exception request. In the event a request is denied, the requesting party may submit an appeal to the respective Chief Information Officer for final arbitration. VII. VIII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. In the event that Category I data is suspected to be improperly accessed, lost, or stolen, the theft or loss must be reported immediately to the VCU information security office at 828 1015 or infosec@vcu.edu. COMPLIANCE Compliance with this Encryption Security Standard is the responsibility of all individuals who generate, store, process, transmit, or use VCU data. This standard establishes standards for these individuals actions in recognition of the fact that these individuals are provided unique system and data access, and that non-compliance to this agreement will be enforced through sanctions commensurate with the level of infraction. Violation of any of the foregoing requirements may subject an individual to temporary loss of access to data, and in severe cases, disciplinary action including, but not limited to, suspension or dismissal, in accordance with the Employee Standards of Conduct, the University s Rules and Procedures, the Promotion and Tenure Policies and Procedures, the University Policy for Administrative and Professional Faculty and Faculty Holding Administrative Appointments, and/or any other applicable University procedures. In addition, non-compliance may be violations of local, state, or federal laws or regulations. Violations may result in penalties such as fines and imprisonment. All individuals who generate, store, process, transmit, or use VCU data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. Page 5 of 7

Appendix A. Exception Request Form VCU Information Security Policy and Standard Exception Request Form Requester Name / Role: Unit Name: Authoritative Unit Head: Requirement to which an exception is requested: Contact Phone: 1. Provide the business or technical justification: 2. Describe the scope, including quantification and requested duration (Not to exceed 1 year): 3. Describe all associated risks: 4. Identify the controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance to policy or standard be achieved? By submitting this form, the Authoritative Unit Head acknowledges that they have evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: VCU Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: VCU Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Page 6 of 7

Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information