The purpose of this policy is to define and explain requirements for cryptographic security. These measures ensure that sensitive and critical UNCW data being stored or transmitted remains accessible only to those who require access.
Authority:
CIO
History
Approved by CIO July 10, 2021
Source of Authority:
UNC System Office Policy Manual, Chapter 1400 “Information Technology”
International Organization for Standardization ISO/IEC 27002
The purpose of this policy is to define and explain requirements for cryptographic security. These measures ensure that sensitive and critical UNCW data being stored or transmitted remains accessible only to those who require access.
Policy
All sensitive UNCW data or UNCW data with a cryptographic requirement arising from state or federal statute or regulation, UNCW policy or standard, or other external source, must be encrypted by the use of valid encryption processes for data at rest and in motion.
General Cryptographic and Encryption Standards
Sensitive data is defined by the Data Classification Standard. Any staff or faculty member, or non-affiliate with access to sensitive data should review the Data Classification Standard to understand the expectations of managing, storing, and transmitting university owned data.
UNCW data that meets the qualification for sensitive must be encrypted during storage, transmission, and process, according to the specifications outlined in the Cryptographic Security Standard.
If encryption is not a viable option an appropriate and comparable compensating control must be implemented.
Any and all compensating controls that remove the requirement for encryption are considered exceptions to security policy and require review and approval for noncompliance.
If a portable media or mobile device is required to store or access sensitive data, the media or device must leverage the appropriate encryption as well as other security controls relevant to the data.
Responsible parties (i.e., data custodians) will maintain appropriate and up-to- date encryption protocols for all university applications, including the acquisition and upkeep of Transport Layer Security (TLS) certificates.
When sensitive data is stored/processed by/transmitted to a third-party site, due diligence must be performed to ensure that it can adhere to the university’s encryption standards.
Key management and encryption requirements:
Any encryption keys must be housed in isolation from non-privileged access. Access to this part of the network must have security controls equal to or greater than that of the key itself.
Only users who possess a business need to know should be provided with authorization to access encryption keys.
Those entrusted with custodianship of encryption keys formally acknowledge and accept their responsibilities annually.
Any and all access to encryption keys must be properly documented/logged and available for review.
