Policies and Procedures Manual 2023-2024

3.63 Data Encryption

Purpose

This procedure outlines the information required to plan, prepare, and deploy encryption solutions to secure data according to Piedmont University’s Data Classification Policy and Data Classification Guidelines effectively and efficiently.

The main goal of this procedure is to provide a range of tools for the most common systems at the college, which store, transmit, or process Restricted data.

Procedure

All encryptions shall be done using National Institute of Standards and Technology (NIST) approved cryptographic modules or methods. The use of proprietary encryption algorithms is not allowed for any purpose.

Devices and Media Requiring Encryption

Encryption is required for all laptops and workstations that may be used to store or access Restricted data. The Office of Information Technology will implement, manage, and maintain disk encryption where required.

Electronic Data Transfers

To protect the confidentiality and integrity of the college’s data defined in the Data Classification Policy, any data classified as Restricted shall be encrypted before transmission to ensure that it does not traverse the network in clear text. Standard and recommended ciphers include AES 2561 and Triple DES2.

When transmitting encrypted data, the following guidelines must be followed:

  • If the encryption method includes a password, the password must be transferred through an alternative method. An example of this method includes calling the individual and providing the password verbally.

  • Email messages containing encrypted data may never include the password in the same message as the encrypted data.

It is further recommended that data classified as Sensitive be transmitted via encrypted communications.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action.

Notes:

  1. AES 256 = AES256 is a symmetric encryption algorithm widely recognized as the current standard for secure encryption. It uses a symmetric key (the same key is used for both encryption and decryption) and operates on blocks of data. The "256" in AES256 refers to the key size, indicating that it uses a 256-bit key length. AES256 provides a high level of security and is resistant to known cryptographic attacks.

  2. Triple DES = Triple DES, also known as 3DES or TDEA (Triple Data Encryption Algorithm), is a symmetric encryption algorithm that applies the Data Encryption Standard (DES) algorithm three times consecutively. DES itself is an older encryption algorithm, but 3DES enhances its security by using multiple iterations. It operates on 64-bit blocks of data and supports three key sizes: 56-bit, 112-bit, and 168-bit.