The primary purpose of this policy is to protect restricted data, as defined by the Data Classification Policy, by limiting the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively; while setting standards for all use of encryption and to identify federal exportation regulations regarding encryption technologies.
- Proprietary Encryption:An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual or the government.
- Encryption Key: A piece of information used to encode or decode data with a cryptographic algorithm.
- All use of encryption technology must be managed in a manner that permits properly designated University officials prompt access to all data, including for purposes of investigation and business continuity.
- Encryption keys and their backups must be retained for the lifetime of the encrypted data.
- Encryption key management procedures must be in place to ensure integrity and recovery of encryption keys.
- No encryption technology other than that approved and distributed by Information and Instructional Technology Services (IITS) may be used to protect restricted data.
- IITS will provide:
- minimum encryption standards.
- encryption key management standards for encryption keys.
- Proven, standard algorithms should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application.
- The use of proprietary encryption algorithms is not allowed, unless reviewed by qualified experts outside of the vendor in question and approved by the Information Security Office.
- Acknowledgement of Federal Exportation Regulations:
Be aware that the export of encryption technologies is restricted by the U.S. Government. Devices with encryption technology permanently installed are eligible for export with NLR (No License Required) to all countries except the embargoed countries that are designated by the U.S. Government as supporters of international terrorism. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside.
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
APPENDIX A - Encryption Key Management Standards
Encryption Key: A piece of information used to encode or decode data with a cryptographic algorithm
Encryption Keys and their backups must be:
- handled in a manner that permits properly designated University officials (Internal Audit, Information Security, and/or Campus Police) prompt access to all data, including for purposes of investigation and business continuity
- physically secured when stored or transmitted offline
- stored or transmitted separately from the data protected by the encryption key
- retained for the lifetime of the data being protected.
Approved by the Board of Visitors, March 20, 2004.
Revised, April 1, 2005.
Revised and approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 27, 2009.
Revised and approved by the Board of Visitors, March 25, 2011.
Revised and approved by the Board of Visitors, September 14, 2012.