³ÉÈËÊÓƵ

Policy Contact: Division of Technology and Security

1. Purpose

   This policy sets forth standards for the use of encryption to ensure that proper encryption algorithms are used, to protect data and assets, and to ensure compliance with applicable state and federal laws and regulations.

2. Policy
    
   1. All units, departments, business functions, and individuals are required to employ University Division of Technology and Security approved encryption solutions to preserve the confidentiality and integrity of, and control accessibility to, University data classified as sensitive data by the Division of Technology and Security. The Division of Technology and Security will maintain, update, and inform users of what information is determined to be sensitive data.
       
   2. This policy applies to all faculty, staff, contractors, vendors, and others entrusted with University sensitive data.
       
   3. All encryption software used by the University and individuals using the University’s information technology resources must be approved by the Division of Technology and Security before use.
       
   4. A copy of all encryption keys used within the University’s information technology resources shall be stored with the Division of Technology and Security.
       
   5. Sensitive data determined by the Division of Technology and Security includes, but is not limited to, the following:
      1. Personal and financial data, including;
         1. Social Security Number,
         2. Credit card number or banking information,
         3. Passport number,
         4. Foreign visa number,
         5. Tax information,
         6. Credit reports,
         7. Anything that can be used to facilitate identity theft (e.g., mother's maiden name),
      2. Statutorily protected data, including;
         1. FERPA-protected information (e.g., student information and grades),
         2. HIPAA-protected information (e.g., health, medical, or psychological information),
         3. Export Controlled information,
         4. Other data required to be protected by statute or regulation,
      3. University restricted data;
      4. Human subjects research data;
      5. Passwords;
      6. Data required to be protected by contract.
          
   6. The University’s key length requirements will be reviewed annually by the Division of Technology and Security and upgraded as technology allows.
       
   7. The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by the Division of Technology and Security.
       
   8. Export of certain encryption technologies is restricted by the U.S. Government and the University. University employees and University information technology resources will abide by all applicable Export Control provisions. Information about commercial encryption technologies and their regulations can be found by accessing the U.S. Department of Commerce, Bureau of Industry and Security, Export Administration Regulations. For information about encryption technologies that have military or space applications, the U.S. Department of State, International Traffic in Arms Regulations may be accessed. Further guidance is also available from the SDBOR System Export Control Officer.
       
   9. Employees that are citizens of countries other than the United States are responsible for making themselves aware of the encryption technology laws of their home country and any obligation they have to comply with those laws.
       
   10. Any University employee found to have violated this policy may be subject to disciplinary action, up to and including, termination of employment.

3. Responsible Administrator

   The Vice President for Technology & Security, designee, or successor is responsible for the annual and ad hoc review of this policy and its procedures. The University President is responsible for formal policy approval.

Approved by President on 12/21/2015.

Sources: ; ; ;