top of page
Encryption Policy

Overview

Encryption, also known as cryptography, is used to secure data while it is stored or being transmitted. It is a powerful tool when applied and managed correctly. As the amount of data the company must store digitally increases, the use of encryption must be defined and consistently implemented in order ensure that the security potential of this technology is realized.

Purpose

The purpose of this policy is to outline the company's standards for use of encryption technology so that it is used securely and managed appropriately. Many policies touch on encryption of data so this policy does not cover what data is to be encrypted, but rather how encryption is to be implemented and controlled.

Scope

This policy covers all data stored on or transmitted across corporate systems.

Policy

Applicability of Encryption

 

Data at rest. This includes any data located on company-owned or company-provided systems, devices, media, etc. Examples of encryption options for data at rest include:

  • Whole disk encryption

  • Encryption of partitions/files

  • Encryption of disk drives

  • Encryption of personal storage media/USB drives

  • Encryption of backups

  • Encryption of data generated by applications

 

Data in transit. This includes any data sent across the company network, or any data sent to or from a company-owned or company-provided system. Types of transmitted data that can be encrypted include:

  • VPN traffic

  • Remote access sessions

  • Web applications

  • Email and email attachments

  • Remote desktop access

  • Communications with applications/databases

​

Examples of encryption for data in transit include:

  • VPN tunnels

  • Industry standard protocols such as TLS and SSL

 

Encryption Key Management

Encryption key management is critical to the success of an implementation of encryption technology. An encryption key is a digital password or certificate used to encrypt and decrypt data.

 

The following guidelines apply to the company's encryption keys and key management:

  • Keys are confidential data

  • Management of keys must ensure that data is available for decryption when needed

  • Keys must be securely documented

  • Keys must never be transmitted in clear text

  • Keys must never be shared

  • Keys must not be stored on the same media as the encrypted information

  • Physical key generation materials must be destroyed immediately upon generation

  • Keys must be used and changed in accordance with the password policy

  • When user encryption is employed, minimum key length is 10 characters

  • The company must perform background checks on the persons in charge of encryption keys

  • For more secure storage the company should consider keys known in half by two people

 

Acceptable Encryption Algorithms

Only the strongest types of generally-accepted, non-proprietary encryption algorithms are allowed, such as AES or 3DES. Acceptable algorithms should be reevaluated as encryption technology changes.

​

Use of proprietary encryption is specifically forbidden since it has not been subjected to public inspection and its security cannot be assured.

 

Legal Use

Some governments have regulations applying to the use and import/export of encryption technology. The company must conform with encryption regulations of the local or applicable government.

​

The company specifically forbids the use of encryption to hide illegal, immoral, or unethical acts. Anyone doing so is in violation of this policy and will face immediate consequences per the Enforcement section of this document.

 

Applicability of Other Policies

This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

Enforcement

This policy will be enforced by the Executive Team and authorized IT personnel. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

Definitions

  • Encryption The process of encoding data with an algorithm so that it is unintelligible without the key. Used to protect data during transmission or while stored.

  • Encryption Key An alphanumeric series of characters in the form of a password or certificate that enables data to be encrypted and decrypted.

  • Mobile Storage Media A data storage device that is portable and can easily be moved between computer systems. Examples include flash drives, thumb drives and SD cards.

  • Password A sequence of characters that is used to authenticate a user to a file, computer, or network. Also known as a passphrase or passcode.

  • Remote Access The act of communicating with a computer or network from an off-site location. Often performed by home-based or traveling users to access documents, email, or other resources at a main site.

  • Remote Desktop Access Remote control software that allows users to connect to, interact with, and control a computer over the Internet just as if they were sitting in front of that computer.

  • Virtual Private Network (VPN) A secure network implemented over an insecure medium, created by using encrypted tunnels for communication between endpoints.

  • Whole Disk Encryption A method of encryption that encrypts all data on a particular drive or volume, including swap space and temporary files.

samuel-branch-ZPVisr0s_hQ-unsplash.jpg

Supporting research today to meet Veterans' health needs tomorrow!

bottom of page