Virginia Commonwealth University Information Security Standard Title: Encryption Security Standard Scope: Approval February 22, 2012 This document provides the encryption requirements for all data generated, processed, stored, transmitted, or used by all VCU faculty, staff, students, contractors, business partners, IT service providers, and other employees on behalf of VCU. This document is not intended to be used with data that is personally owned by individual employees, where if lost or stolen, has no negative impact on VCU. Any unauthorized access or loss of VCU data or equipment containing VCU data should be reported according to the instructions defined in section VII of this standard. Effective March 1, 2012 Compliance July 1, 2013 Authority: VCU Information Security Officer Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 0.1 August 4, 2011 Initial draft complete 0.2 August 22, 2011 0.3 September 6, 2011 1.0 February 22, 2012 Reviewed by IT Directors. Modifications made to definitions. Reviewed by Technology Advisory Committee Reviewed and approved by CIO This standard supersedes the following archived standards: VCU Security Standard for Encryption February, 2008
Table of Contents Contents I. PURPOSE... 3 II. DEFINITIONS... 3 III. RESPONSIBILITIES... 4 IV. STORAGE REQUIREMENTS... 4 V. TRANSMISSION REQUIREMENTS... 4 VI. EXCEPTION REQUESTS... 5 VII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA... 5 VIII. COMPLIANCE... 5 Appendix A. Exception Request Form... 6 Page 2 of 7
I. PURPOSE This standard defines the encryption requirements for data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. This document is intended to be used by VCU Data Stewards and Data Custodians to determine the need and applicability of encryption for the data managed by these individuals II. DEFINITIONS Category I Data - All data that require breach notifications in the event of improper release as governed by Federal, State, industry regulations, and / or other civil statutes. (Please refer to the Data Classification Standards for additional information) Centrally Managed Network Storage Devices Redundant electronic storage devices that are not native or directly connected to an individual s desktop, laptop, or other computing device. The network storage device is physically hosted and managed in data center(s) which has appropriate physical access protection, monitoring, and access management controls. Locally hosted servers and storage devices, regardless of its networking capability or redundancy, will not be considered as a centrally managed network storage device. Encryption - The process or the means of converting original data to an unintelligible form so it cannot be read by unauthorized users. Fixed Storage Device Internal storage media used by a computer to store files. In a computer system, fixed storage devices are usually the computer s internal hard drive(s). Data Custodian - An individual or organization in physical or logical possession of data for data stewards. Data custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems. The data custodians are directly responsible for the physical and logical security of the systems that are under their control. Data Steward The data steward is a University director or equivalent position who oversees the capture, maintenance and dissemination of data for a particular operation. The data steward is responsible to ensure data quality, develop consistent data definitions, sensitivity classifications, determine data aliases, develop standard calculations and derivations, define security requirements, document all appropriate business rules and monitor data quality within the source system and/or data warehouse. The data steward is also responsible for communicating data protection requirements to the data custodian; defining requirements for access to the data. Laptop Computer A laptop computer is a battery or AC powered portable computing device that operates on traditional desktop operating systems such as Microsoft Windows and Mac OSX. University Owned Equipment Unless specified otherwise by the sponsoring funding source, any equipment purchased with funding allocated to the Virginia Commonwealth Page 3 of 7
University, or its employees for the purpose of education, research, and administration. III. RESPONSIBILITIES The following section delineates responsibilities of VCU employees in relation to the encryption and protection of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. VCU Technology Services is responsible to implement and maintain an enterprise encryption solution that includes disk or file based encryption for desktops and laptops. The implemented solution shall include a secure centralized management system for administration and distribution of encryption software, keys, and key escrow. B. Data stewards are responsible to adhere to the storage and transmission requirements delineated in this standard, and collaborate with data custodians on the encryption of any applicable data. C. Data custodians are responsible to adhere to the storage and transmission requirements delineated in this standard, and implement the encryption solution on IT systems used to store and transmit any applicable data. IV. STORAGE REQUIREMENTS The following section delineates the encryption requirements for the storage of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Unless stored on University centrally managed or comparable network storage devices, all Category I data must be encrypted when stored in electronic format. B. All fixed storage devices on University owned laptop computers must be encrypted with the VCU enterprise encryption solution. V. TRANSMISSION REQUIREMENTS The following section delineates the encryption requirements for the transmission of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Encryption is required for session initiation and all electronic transmission of Category I data. Page 4 of 7
VI. EXCEPTION REQUESTS Exceptions to these standards may be requested by submitting an Information Security Policy and Standard Exception Request Form to the VCU Information Security Officer according to data ownership. This form is located in the Appendix A of this document. The Information Security Officer shall have authority to approve or deny any exception request. In the event a request is denied, the requesting party may submit an appeal to the respective Chief Information Officer for final arbitration. VII. VIII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. In the event that Category I data is suspected to be improperly accessed, lost, or stolen, the theft or loss must be reported immediately to the VCU information security office at 828 1015 or infosec@vcu.edu. COMPLIANCE Compliance with this Encryption Security Standard is the responsibility of all individuals who generate, store, process, transmit, or use VCU data. This standard establishes standards for these individuals actions in recognition of the fact that these individuals are provided unique system and data access, and that non-compliance to this agreement will be enforced through sanctions commensurate with the level of infraction. Violation of any of the foregoing requirements may subject an individual to temporary loss of access to data, and in severe cases, disciplinary action including, but not limited to, suspension or dismissal, in accordance with the Employee Standards of Conduct, the University s Rules and Procedures, the Promotion and Tenure Policies and Procedures, the University Policy for Administrative and Professional Faculty and Faculty Holding Administrative Appointments, and/or any other applicable University procedures. In addition, non-compliance may be violations of local, state, or federal laws or regulations. Violations may result in penalties such as fines and imprisonment. All individuals who generate, store, process, transmit, or use VCU data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. Page 5 of 7
Appendix A. Exception Request Form VCU Information Security Policy and Standard Exception Request Form Requester Name / Role: Unit Name: Authoritative Unit Head: Requirement to which an exception is requested: Contact Phone: 1. Provide the business or technical justification: 2. Describe the scope, including quantification and requested duration (Not to exceed 1 year): 3. Describe all associated risks: 4. Identify the controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance to policy or standard be achieved? By submitting this form, the Authoritative Unit Head acknowledges that they have evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: VCU Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: VCU Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Page 6 of 7
Page 7 of 7