South Plains College
Information Services (SPC-IS)
Encryption Standard: I-B(c)
Purpose and Benefits
Encryption is a cryptographic operation that enhances security and protects electronic data (“data”) by transforming readable information (“plaintext”) into unintelligible information (“ciphertext”). It is an effective tool in mitigating the threat of unauthorized access to data.
Scope
This standard applies to all systems, including websites and web services. South Plains College has administrative responsibility for these, including those managed and hosted by third parties on behalf of SPC.
Information Statement
Information encryption is needed based on data classification, risk assessment results, and use cases.
Encryption products for data confidentiality at rest and in transit must incorporate Federal Information Processing Standard (FIPS) approved algorithms. Appendix A contains approved encryption algorithms.
Hashing algorithms transform a digital message into a short representation used in digital signatures and other applications to validate its integrity.
Although hash functions such as SHA 1 provide some security strength, they do not meet all security requirements for keyed-hash functions such as HMAC SHA 1. Refer to FIPS 180-4 and Appendix A for more information on different types of application hashing algorithms.
Hashing algorithms can be used for multiple purposes, including, but not limited to, digital signatures, message authentication codes, essential derivation functions, and pseudo-random functions.
Approved hashing functions are in Appendix A.
Use of outdated, cryptographically broken, proprietary encryption algorithms/hashing functions is prohibited.
Due to the prevalence of incorrectly implemented cryptography, encryption products must be validated and operated in FIPS mode and have FIPS 140 (Security Requirements for Cryptographic Modules) validation.
Electronic information used to authenticate the identity of an individual or process (i.e., PIN, password, passphrase) must be encrypted when stored, transported, or transmitted. This does not include the distribution of a one-time use PIN, password, passphrase, token code, etc., provided it is not distributed along with any other authentication information (e.g., user ID).
A system’s security plan must include documentation to show an appropriate review of encryption methodologies and products. This will demonstrate due diligence in choosing a method or product that has received substantial positive reviews by reputable third-party analysts.
Data in Transit
Encryption is required for data in transit in the following situations:
When electronic personally identifying information (PII) is transmitted (including, but not limited to, e-mail, File Transfer Protocol (FTP), instant messaging, e-fax, Voice Over Internet Protocol (VoIP), etc.).
When encryption of data in transit is prescribed by law or regulation.
When connecting to the internal network(s) over a wireless network.
When remotely accessing SPC’s internal network(s) or devices over a shared (e.g., Internet) or personal (e.g., Bluetooth, infrared) network. This does not apply to remote access over an SPC’s managed point-to-point dedicated connection.
When data is transmitted with SPC’s public-facing website and web services, they must utilize Hypertext Transfer Protocol Secure (HTTPS) instead of Hypertext Transfer Protocol (HTTP) where technically feasible. Public-facing websites must also use HTTP Strict Transport Security (HSTS), automatically redirecting HTTP requests to HTTPS websites where technically feasible.
Appropriate encryption methods for data in transit include but are not limited to Transport Layer Security (TLS) 1.2 or later, Secure Shell (SSH) 2.0 or later, Wi-Fi Protected Access (WPA) version 2 or later (with Wi-Fi Protected Setup disabled) and encrypted Virtual Private Networks (VPNs). Components should be configured to support the most robust cipher suites possible. Ciphers that are not compliant with this standard must be disabled.
Data at Rest
Encryption is required for data at rest, as follows:
For the systems listed below:
desktops that access or contain personally identifying information (PII);
data stores (including, but not limited to, databases and file shares) that contain PII;
all mobile devices, whether SPC-issued or third-party, that access or contain any SPC information; and
all portable storage devices containing any SPC information.
When electronic PII is transported or stored outside of the SPC facility.
Full disk encryption is required for all issued laptops that access or contain SPC information. Total disk encryption products must use pre-boot authentication that utilizes the device’s Trusted Platform Module (TPM) or Unified Extensible Firmware Interface (UEFI) Secure Boot.
To mitigate attacks against encryption keys, when outside of the SPC’s facilities, laptops and third-party laptops that access or contain PII must be powered down (i.e., shut down or hibernated) when unattended.
SPC must have a process or procedure in place for confirming devices and media have been successfully encrypted using at least one of the following, listed in preferred order:
automated policy enforcement;
automated inventory system, or
manual record keeping.
Key Management
SPC must ensure that a secure environment is established to protect the cryptographic keys used to encrypt and decrypt information. Keys must be securely distributed and stored.
Access to keys must be restricted to only individuals who have a business need to access the keys.
Unencrypted keys must not be stored with the data that they encrypt. Keys will be protected with an authentication token that conforms to the identified assurance level.
Compromising a cryptographic key would cause all information encrypted with that key to be unencrypted. If a compromise has been discovered, a new key must be generated to protect the encrypted information. Specific circumstances should be evaluated to determine if a breach notification is required.
Encryption keys and associated software products must be maintained for the life of the archived data encrypted with that product.
Compliance
This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards, which may be amended anytime.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.
Related Documents
1 TAC § 202.74 (a)(2)
NIST Federal Information Processing Standard (FIPS) Publication 140-2
NIST Federal Information Processing Standard (FIPS) Publication 198-1
NIST Federal Information Processing Standard (FIPS) Publication 180-4
An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
Texas Security Controls Standards Catalog Control Group: SC-8, SC-13,
NIST Function Groups: PR.DS-1, PR.DS-2, PR.IP-4, PR.PT-4, DE.CM-1
Algorithm |
Minimum Key Length |
Use Case |
AES |
128 |
Data Encryption |
RSA
|
2048 |
Digital Signatures Public Key Encryption |
ECDSA |
256 |
Digital Signature Public Key Encryption |
SHA |
256 |
Hashing |
HMAC SHA 1 |
112 |
Keyed-Hash Message Authentication Code |