Encryption Policy (ISP03)

Similar documents
Guidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

INFORMATION SECURITY POLICY

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Newcastle University Information Security Procedures Version 3

Data Protection Act Guidance on the use of cloud computing

Summary Electronic Information Security Policy

Why do we need to protect our information? What happens if we don t?

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Encryption Policy Version 3.0

Information Security Policies. Version 6.1

IT Data Security Policy

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

UTC Cambridge ICT Policy

University of Limerick Data Protection Compliance Regulations June 2015

USB Portable Storage Device: Security Problem Definition Summary

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013

Kaspersky Lab s Full Disk Encryption Technology

Service Overview CloudCare Online Backup

Telephone Acceptable Use Policy (ISP05)

Encryption and Digital Signatures

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

SECURITY POLICY REMOTE WORKING

BUSINESS COMPUTER SECURITY. aaa BUSINESS SECURITY SECURITY FOR LIFE

P Mobile Device Security.

Information Security Policy. Information Security Policy. Working Together. May Borders College 19/10/12. Uncontrolled Copy

How To Protect Your Information From Being Hacked By A Hacker

Credit Card Security

Protecting personally identifiable information: What data is at risk and what you can do about it

CHAPTER 124B COMPUTER MISUSE

The Information Security Tool Kit Think secure

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Vs Encryption Suites

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

For your eyes only - Encryption and DLP Erkko Skantz

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

As simple as and as secure as postal mail.

A practical guide to IT security

FileCloud Security FAQ

Information Security Policy for Associates and Contractors

How To Protect Data At Northeast Alabama Community College

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SOFTWARE LICENSING POLICY

Internet threats: steps to security for your small business

Designation of employee(s) in charge of the program; Identifying and assessing risks/threats and evaluating and improving

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Service Level Standard

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Estate Agents Authority

USB Portable Storage Device: Security Problem Definition Summary

IT ACCESS CONTROL POLICY

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

Big Data Analytics Service Definition G-Cloud 7

Cloud Software Services for Schools

How to use Alertsec to Enable SOX Compliance for Your Customers

If you have any questions about any of our policies, please contact the Customer Services Team.

How To Protect Research Data From Being Compromised

Data Protection Division Guidance Note Number 10/08

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

10 Hidden IT Risks That Threaten Your Financial Services Firm

Privacy and Electronic Communications Regulations

Merthyr Tydfil County Borough Council. Data Protection Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

How To Protect School Data From Harm

INTRODUCTION TO CRYPTOGRAPHY

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Remote Access and Home Working Policy London Borough of Barnet

NETWORK SECURITY GUIDELINES

Information Security Policy

HP ProtectTools Embedded Security Guide

Network Security Policy

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & POLICY AND CODE

Unipass Identity User Guide & FAQ Document v1.1

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Borough of Poole Staff (Adult Social Care) Encryption: Sending secure, encrypted e- mails & attachments

Guidance for sending and receiving an encrypted NHSmail

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Terms and Conditions. Acceptable Use Policy Introduction. Compliance with UK Law. Compliance with foreign law

HIPAA Compliance and the Protection of Patient Health Information

Information Security Incident Reporting & Investigation

PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Hang Seng HSBCnet Security. May 2016

DSHS CA Security For Providers

INFORMATION WE MAY COLLECT FROM YOU

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Hosted File Backup for business. Keep your data safe with our cloud backup service

Good Practice in Records Management and Information Security

Transcription:

Encryption Policy (ISP03)

Issue Date: December 2014 Version 1.0 DOCUMENT CONTROL...3 1 INTRODUCTION...4 2 DEFINITION...4 3 WHEN TO USE ENCRYPTION...4 4 MANAGEMENT....4 5 ENCRYPTION STANDARDS...4 6 UK LAW...4 7 TRAVELLING ABROAD...5 2

Document Control Policy Version:- 2.0 Policy Review Interval:- Author:- Annually by Information Security Group from the date of authorisation Director of LISD Authorised By:- ISG Group Members:- Information Security Group Director of Estates Head of IT Infrastructure Services Director of Library and Information Services Division LISD IT and Development Manager Authorisation Date:- December 2014 3

1. Introduction This Encryption Policy sets out the principles and expectations of how and when information should be encrypted. 2. Definition Encryption is the process of encoding (or scrambling) information so that it can only be converted back to its original form (decrypted) by someone who (or something which) possesses the correct decoding key. Confidential information is information about people that may cause harm or distress to those people were it to be disclosed (for example name, address, date of birth, bank credit card or passport details, student ID numbers etc.). In addition information about the College s clinical, research, teaching and business activities may be confidential, not least in terms of commercial sensitivity and you should think carefully about the potential risk of storing or transmitting such information unencrypted. 3. When to use encryption Encryption must always be used to protect strictly confidential information transmitted over data networks to protect against risks of interception. This includes when accessing network services which require authentication (for example, usernames and passwords) or when otherwise sending or accessing strictly confidential information (for example, in emails). Where confidential data is stored on or accessed from mobile devices (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) the devices themselves must be encrypted (using "full disk" encryption), irrespective of ownership. Where strictly confidential data is stored in public, cloud based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data. Where data is subject to an agreement with an external organisation, the data should be handled (stored, transmitted or processed) in accordance with the organisation s specified encryption requirements. 4. Key management In most cases, encryption keys will be in the form of a password or passphrase. Losing or forgetting the encryption key will render encrypted information unusable so it is critical that encryption keys are effectively managed. When devices are encrypted by IT Helpdesk staff, LISD will take responsibility for the secure management of the keys. In all other cases, it will be the individual member's responsibility to manage the keys. It is advisable to make secure backups of your keys and to consider storing copies with trusted third parties. 5. Encryption standards There are many different encryption standards available. Only those which have been subject to substantial public review and which have proven to be effective should be used. Specific guidance is available from the IT Helpdesk and/or the Data Protection Officer. 4

6. UK law Export regulations relating to cryptography (encryption) are complex, but so long as the encryption software used to encrypt a device or file is considered to be a "mass market" product it is unlikely that you will encounter any problems leaving or re-entering the UK. That said, you may be required to decrypt any devices or files by UK authorities on leaving, entering or re-entering the country. If you are requested to decrypt your files or devices you are advised to do so. Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes a provision whereby certain "public authorities" (including, but not limited to law enforcement agencies) can require the decryption of devices or files. Failure to comply with such a lawful request is a criminal offence in the UK. 7. Travelling abroad In addition to what has been written above about export regulations, you should also be aware that government agencies in any country may require you to decrypt your devices or files on entry or exit from the country. If you are travelling abroad with encrypted confidential data this means that there is a risk that the data may have to be disclosed and you should consider the consequences of this. Wherever possible, do not take confidential data with you when you travel (keep the data at the College and access it using the College s secure, remote access facilities unless there are exceptional circumstances). Particular attention should be paid to the possible inadvertent export of data subject to the Data Protection Act to countries outside of the EEA (or the few other countries deemed to have adequate levels of protection) when travelling. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information