Digital Encryption Policy: IK

Introduction:

South Plains College is committed to compliance with state and federal statutes associated with the protection of confidential information.  

Information technology resources that contain or transmit confidential information must be protected with the specified minimum requirements for encryption key standards and management.

 

Scope:

The SPC Digital Encryption Policy applies equally to all individuals entrusted with any South Plains College information technology resources.

 

Policy Statement:

Minimum encryption requirements to protect confidential information from unauthorized disclosure shall be limited to the following State of Texas encryption requirements: 

  1. Public information, information as described in the Texas Public Information Act or other enabling laws, rules, and regulations, has no minimum encryption requirements.
  2. Confidential information, information that must be protected from unauthorized disclosure or public release based on state or federal law and personal identifying or sensitive personal information as defined in the Texas Business and Commerce Code, must be encrypted with a minimum of 128 bit key length.
  3. Federal protected data, federal tax information, Federal Financial Aid data, protected health information, and law enforcement information, is required to comply with National Institute of Standards and Technology (NIST) as defined in NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organization.

 

Confidential information that is transmitted through or stored on an externally accessible location shall be encrypted from the time it leaves a secure location until it is received into a secure location. 

Confidential information should not be copied to or stored on, removable media or a non-agency owned computing device that is not encrypted. 

SPC may also choose to implement these protections for data classifications other than Confidential.

Information resources assigned from one state agency to another, or from a state agency to a contractor or other third party representative, shall be protected in accordance with the conditions imposed by the providing state agency. 

 

Related Policies, References and Attachments: 

An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

DIR Security Controls Catalog Control Group: SC-13

 

Approved by:  Executive Council, September 9, 2019

Next Review: October 1, 2020