UNIVERSITY STANDARD STATEMENT
This standard establishes expectations for the encryption of IT assets and institutional data in alignment with .鈥
REASON FOR STANDARD
Data flows in and out of the 国产原创 network along numerous channels, varying greatly in criticality to the university and necessity of compliance measures. As part of an effort to safeguard critical data by reducing its exposure and the associated risk to the university, it is important to relay the expected caliber of encryption that will be in place for any combination of IT Asset and data sensitivity. It is equally vital to relay expectations regarding how that encryption will be handled, by both IT administrators and end users.
In certain cases, agreements with third parties regarding the handling of shared data include provisions concerning data storage (e.g., Data Use Agreements or contracts for research on Controlled Unclassified Information). If these provisions call for a higher level of security than what is defined here, they will supersede the rules in this standard.
The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.
SCOPE AND AUDIENCE
This standard applies to the entire 国产原创 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥).
DEFINITIONS
STANDARD
A. DATA AT REST
Stored data that is not actively being utilized, moved, or accessed in any way is considered data at rest. This includes, but is not limited to, data such as digital documents that are not open, credentials stored in a password manager, or backups of data not currently in use. Portable media such as flash drives and external hard drives are also storage locations where data would be considered at rest.
For non-public data at rest, if either the data or the IT Asset (e.g., hardware or software) the data is stored on belong to 国产原创, the data must be encrypted during storage. This can be accomplished via two avenues: file-level encryption and whole disk encryption. File-level encryption involves placing data in encrypted folders or directly encrypting the file with an encryption utility. Whole disk encryption involves encrypting the entire hard drive of an IT Asset, either digitally or with the assistance of specialty hardware. The IT Asset Owner is responsible for implementing and maintaining the required level of encryption for the data assets under their purview. This responsibility may be delegated to an IT Asset Steward.
For data at rest, the encryption method that fits best will vary with the chosen storage location and avenue of encryption. The table below gives encryption utilities for each method of encryption over the most common operating system. Note that these utilities require more recent versions of the operating systems they are meant for to function properly.
| Approved Encryption | OS | File-Level Encryption | Whole Disk Encryption |
| AES-256, RC6-256, or better | Windows | Encrypting File System EFS |
|
| MacOS | Disk Utility | FileVault | |
| Linux | Gnu Privacy Guard (GPG) |
Linux Unified Key Setup (LUKS) |
|
| N/A - Hardware dependent | N/A | Trusted Platform Module (TPM) Chip |
B. DATA IN TRANSIT
Data that is actively being accessed, changed, or moved is considered data in transit. This includes, but is not limited to, data such as digital documents that are being copied or moved to a new location, credentials being passed to and from a server as part of logging into a service or webpage, or a file transmitted to a printer for output.
All data must be encrypted over the entire length of its transit. The IT Asset Owner is responsible for ensuring the capabilities for encrypting data in transit are present on assets under their purview and that it is functional. This may be delegated to an IT Asset Steward. The End User is responsible for adhering to the guidelines in this standard regarding when those capabilities must be leveraged.
Data that cannot be securely transported, such as due to a lack of a secure transmission channel, must be encrypted at rest prior to being transported. Only when the data is again at rest can it be decrypted.
The table below gives some common avenues of accessing data that would qualify that data as 鈥渋n transit鈥, as well as examples of approved methods for securing data in transit over that avenue of data access.
| Avenue of Data Access听 | Approved Secure Methods for Transit听 |
| File Transfer听 | Secure File Transfer Protocol (SFTP)听 |
| Web Application听 | HTTPS听 |
| SSL / TLS 1.2 or later | |
| Remote Session听 | SSH v2 or later |
| Virtual Private Network (VPN) - 国产原创 VPN听 | |
| Network Printing听 | Secure Printing Service听 |
| S/MIME, PGP/MIME听 | |
| SSL/TLS 1.2 or later | |
| STARTTLS | |
| Digital Certificates |
C. ENCRYPTION KEY MANAGEMENT
While encrypting data, at least one value called an encryption key is generated or used. Asymmetric encryption utilizes a pair of these, called the public key and private key. This key, or pair of keys, serves as the basis for successfully encrypting and decrypting data in any encryption protocol.
Encryption keys used are also considered sensitive data and must be stored and transmitted in accordance with the rules in this standard regarding data at rest and in transit. This requirement does not pertain to keys or protocols that are providing layers of encryption transport in addition to the strong encryption that has already been applied (e.g., SSH host keys).
The table below summarizes the acceptable symmetric and asymmetric algorithms for use in encrypting, including encryption keys themselves.听
| Symmetric Algorithms听 | Asymmetric Algorithms听 |
| AES (256 bit or better)听 | ECC (512 bit or better)听 |
| RC6 (256 bit or better)听 | RSA (1024 bit or better)听 |
Professional key management is critical to prevent unauthorized disclosure of non-pubic data or irretrievable loss of data. VUIT will make a centralized key management infrastructure available to all institutional users to ensure appropriate controls are applied. The institutional data managed by all key management infrastructures is considered both sensitive and critical. The owner of encrypted data is responsible for assigning the duty of encryption key management being used to protect that data.
All institutional key management infrastructures should create and implement an encryption key management plan that:
- Ensures data can be decrypted when access to data is necessary. Backup or other strategies (e.g., key escrow, recovery agents, etc.) must be implemented to enable decryption, thereby ensuring data can be recovered in the event of loss or unavailability of encryption keys.
- Addresses handling the compromise or suspected compromise of encryption keys. The plan must address what actions shall be taken in the event of a compromise (e.g., with system software and hardware, private keys, or encrypted data.)
- Addresses the destruction or revocation of encryption keys that are no longer in use (e.g., the individual has left the university) or that aren't associated with a key management program.
D. AUDITING AND REPORTING
In any circumstance, including but not limited to those described above, the Office of Cybersecurity retains the right to audit encryption controls on any institutional data or IT Asset to ensure compliance. This extends to standards imposed by agreements with third parties pertaining to handling their data, as well as security controls put in place on outgoing institutional data.
VU community members must immediately report any non-public data that is compromised (e.g., lost or stolen) to the Office of Cybersecurity by phone at 615-343-9999 or submit a .
In the case an encryption key is the compromised data, the key manager and the owner of the data for which the encryption key was used should also be alerted. The key must be revoked or destroyed and a new key generated. Key reassignments require re-encryption of the data utilizing the new key.
EXCEPTIONS
On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.
ENFORCEMENT
Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.
FORMS AND TOOLS
N/A
FREQUENTLY ASKED QUESTIONS
N/A
HISTORY
| Review Date | Summary of Changes |
| September 2023 | Clarified preapproved in-transit protocol versions, grammatical changes |
| February 2025 | Added a review cadence |