Encryption and Protection of Media High-Level Process

Parent Policy: Information Security        
Classification: Internal

Contents
1.0 Scope and Purpose
2.0 Process and Procedures
2.1 Data At Rest
2.2 Devices and Media
2.3 Data in Motion (Transit/Transfer)
2.4 Sharing Encryption Keys and Passwords
3.0 Applicable Roles, Responsibilities, and Skills
4.0 Measurement and Metrics
5.0 Continual Improvement
6.0 Resources

1.0 Scope and Purpose

This high-level process supports the implementation of the Information Security Policy. It applies to all Users and describes where and when encryption must be used depending on the type of storage media and information. University approved encryption solutions must be used to safeguard data and information classified as "Confidential" or "Highly Confidential"1. Information may also be referred to as "Sensitive" when related to a person. In this process, all three classes are collectively referred to as "in-scope classes". Encryption of in-scope class data and information is required when it is processed, stored, or transmitted, unless otherwise described.

Portable storage media (e.g. external disk or solid-state drives, flash memory, DVD, CD-ROM, etc.) can be convenient to use but since such devices are more easily lost, stolen, or damaged, they may cause a security incident due to a loss of confidentiality, integrity, and availability. ITS strongly discourages placing “Confidential” or “Highly Confidential” classified data on portable media, which irrespective of the classification of the content must be encrypted at all times. (See the glossary (in the knowledge base) for the definition of terms used in this document).

2.0 Process and Procedures

USF's Information Technology Services (ITS) will implement and apply reasonable security safeguards practices and procedures to protect the data and information assets.  The practices will be aligned to an authoritative information security standard framework, (e.g. ISO, NIST, PCI, SANS-CIS, etc.) to comply with Federal, State, and local laws and regulations. ITS will collaborate with designated information stewards, asset owners, Schools, Colleges, and Departments, to implement the safeguards using a risk-based approach. This process covers the encryption of data and information:

  • at rest,
  • on physical devices,
  • in motion, being transferred, and
  • the management of access keys.

The following process requirements apply to all three asset categories - infrastructure, applications, and endpoints - unless otherwise indicated as being category specific. (The italicized text indicates the active response that USF ITS utilizes to satisfy the requirements. The internal Standard Operating Procedures (SOP) are ITS access only.)

2.1 Data at Rest

Infrastructure

Applications

Endpoint Assets

 

1. All University managed databases containing highly confidential or sensitive data must encrypt data and information at rest,  with the exception of those University-wide (enterprise) resources housed in approved restricted-access facilities such as the ITS Data Center.
ITS follows an internal SOP to encrypt USF databases both inside and outside of the data center.

 

 

2. All databases, application servers, and file systems that contain “Confidential" or "Highly Confidential” data must use appropriate access control to ensure that access to the data is limited to those whose job functions require access.
ITS follows an internal SOP to address how User access is granted and revoked aligned to a User's role and job function.

 

3. All archiving should be done electronically so that data is stored in an ITS Data Center and backed up by ITS.
ITS follows an internal SOP to back up data stored in USF's data center and send this offsite for archive.

 

3. Archiving highly confidential or sensitive data to a physical medium (e.g. external HDD, DVD, CD-ROM) is not recommended, but is permitted if the data is encrypted to ITS standards. All archiving should be done electronically so that data is stored in an ITS Data Center and backed up by ITS.  
ITS follows an internal SOP to back up data stored in USF's data center and send this offsite for archive.

2.2 Devices and Media

Infrastructure

Applications

Endpoint Assets

 

 

1. Full-disk encryption (FDE) is required for all desktops, laptops, mobile devices, and any portable media and drives that may be used to store, process or transmit highly confidential or sensitive data. FDE is added by ITS to University-funded personal computers (PCs) and is included with the native operating system on Apple devices. 
ITS follows an internal SOP to apply FDE to PCs.

 

 

2. Full-disk encryption (FDE) solutions must be applied to portable media storage such as hard disk drives, solid-state drives, USB/flash drives, etc.
See FAQ/How Do I? 
ITS follows an internal SOP to apply FDE to portable media storage.

 

 

3. Smartphones (Android and Apple) and tablets (iPads) come with their own FDE equivalents. There is an elevated risk of loss or compromise if placing highly confidential or sensitive data on these devices caused by the use of weak (simple) passcodes which can negate the FDE. Third party storage encryption can be added to the device.
See FAQ/How Do I? set up a strong/complex passcode. 
ITS follows an internal SOP to check for complex passcodes on smartphones and cellular tablets connecting to the USF network.
4. System data disks from servers, storage systems,  and LAN printers must be securely erased or confidentially destroyed once no longer used for storage and before disposal. 
ITS follows an internal SOP to securely erase data and degauss disks.

 

4. Portable media used to store encrypted highly confidential or sensitive data must be securely erased or confidentially destroyed once no longer used for storage and before disposal.  
 
ITS follows an internal SOP to securely erase data and degauss disks.

2.3 Data in Motion (Transit/Transfer)

Infrastructure

Applications

Endpoint Assets

 

1. Transfer of unencrypted highly confidential or sensitive data must be done using an encrypted transfer method (e.g. secure transport client/server products that provide network transport-layer encryption).  Highly confidential or sensitive data that is encrypted first may be transmitted via encrypted (e.g. PSCP, SCP, WS_FTP) or other unencrypted methods (e.g. FTP, telnet).
See How Do I? request ITS assistance to perform a secure network file transfer.
ITS follows an internal SOP to securely transfer data.

 

 

 

2. Email containing highly confidential or sensitive data sent to external, non-USF recipients must be sent using the USF Secure Mail service. See SOP on how to send, and receive, emails using Proofpoint Encryption. All outbound emails are scanned to ensure email hygiene, and encrypted or password-protected attachments sent via USF's standard email will be rejected.
ITS follows an internal SOP to enable secure email for authorized trained users.

 

 

3. The physical transfer of highly confidential or sensitive data must be encrypted. Unencrypted physical transfer is not allowed. If there is a business need to perform a physical transfer, a request for an exception to the process must be submitted. If approved, physical transfers of highly confidential or sensitive data must be encrypted to standards. See Exception Process.

2.4  Sharing Encryption Keys and Passwords

Infrastructure

Applications

Endpoint Assets

 

 

1. If the encryption method used for electronic data transfer requires a password or code to access the data, that password or code must be sent separately from the data itself, e.g. by calling or texting the verified recipient with the password or code. Email messages containing encrypted data must never include the password or code in the same message.
 
2. Encryption methods which do not utilize ITS-provided solutions for centralized data management must provide the encryption key or password to ITS for proper storage and escrow to allow compliance with digital investigation or legal orders for access to encrypted data.
See How Do I? provide the key to ITS? 
ITS follows an internal SOP to securely manage non-ITS provisioned encryption keys.

3.0 Applicable Roles, Responsibilities, and Skills

For more expanded details see the Roles & Responsibility document.

Role

Responsibility

Skills/Knowledge

ITS Help Desk.

First point of contact for Users who are unsure if they are correctly encrypting in-scope data or what solutions exist

ITS supported and recommended encryption solutions.

User

Encrypt in-scope data as the circumstance requires.

Know the classification of the data and information being stored, processed or transmitted.
Know the risks of not encrypting.
Know how to apply solutions.

4.0 Measurement and Metrics

1. Lagging results indicators:

a. Number of calls to Help Desk for help with encryption issues,

b. Number of portable media reported lost, stolen, damaged,

c. Number of security breaches related to loss of portable media and devices.

5.0 Continual Improvement

ITS will work to improve the process and supporting technologies.

6.0 Resources

1 See Information Classification scheme.

Click to download PDF of High-Level Process

Security Standards Glossary of Terms

How Do I?

Information Classification Scheme

Security-Related Roles and Responsibilities

Exception Process