Skip to main content

System Security Encryption Standard

Purpose

This Encryption Standard provides guidance for minimum data encryption requirements for use on Boise State University computing devices. To help facilitate and manage full drive encryption, Boise State now supports Windows BitLocker and Mac FileVault 2 enterprise encryption for mobile devices such as laptops. Contact the OIT Help Desk at 426-4357 for details.

Applicability

This standard applies to all computing devices and systems at Boise State University that store restricted or confidential information.

Standard

Workforce members that use mobile computing devices (e.g. laptops, tablet computers, PDAs, smart phones) or mobile data storage devices (e.g. floppy disks, CDs, DVDs, flash memory, portable hard drives) are responsible for the protection of the data on those devices. This responsibility includes the use of encryption as outlined below, whether the devices are personally owned or furnished by Boise State University.

Special Requirements for Passwords, PHI, and PII

Boise State University has identified situations involving certain classes of confidential information that have elevated risks and for which encryption is required.

Passwords

  • Passwords must be encrypted during transmission over any networks.
  • Passwords must be encrypted at rest on any computers, computerized devices, or digital storage systems.

Protected Health Information (PHI)

  •  PHI must be encrypted during transmission over networks not owned and/or operated by Boise State University or its affiliates.
  •  PHI must be encrypted during transmission over any wireless networks.
  •  PHI must be encrypted at rest on any mobile computing devices (e.g. laptops, tablet computers, PDAs, smart phones) and on any mobile data storage devices and media (e.g. floppy disks, CDs, DVDs, flash memory, portable hard drives).

Personally Identifiable Information (PII)

  • PII must be encrypted during transmission over networks not owned and/or operated by Boise State University or its affiliates.
  • PII must be encrypted during transmission over any wireless networks.
  • PII must be encrypted at rest on any mobile computing devices(e.g. laptops, tablet, computers, PDA’s, smart phones) and on any mobile data storage devices and media (e.g. floppy disks, CD’s, DVD’s, flash Memory, portable hard drives.)

All Other Level One Data

  • Level One Data must be encrypted during transmission over networks not owned and/or operated by Boise State University, or it’s affiliates.
  • Level One Data must be encrypted during transmission over any wireless networks.
  • Level One Data must be encrypted at rest on any mobile computing devices(e.g. laptops, tablet computers, PDA’s, Smart Phones) and on any mobile data storage devices and media (e.g. floppy disks, CD’s, DVD’s, flash memory, portable hard drives).

Encryption Algorithms

Any of the recommended algorithms will provide adequate security for their intended purpose. System Owners and end users should feel free to select whichever recommended algorithms are available in the products they are using.

Recommended Encryption Algorithms

  • Advanced Encryption Standard (AES) (FIPS PUB 197)
  • Blowfish
  • Triple Data Encryption Standard (3DES) (FIPS PUB 46-3)
  • Twofish

Recommended Digital Signature Algorithms

  • Digital Signature Algorithm (DSA) (FIPS 186-2 Digital Signature Standard)
  • RSA (FIPS 186-2 Digital Signature Standard)

Recommended Digital Hash Algorithms

  • Secure Hash Algorithm (SHA-1) (FIPS 180-2 Secure Hash Standard)
  • Secure Hash Algorithm (SHA-256, SHA-384, SHA-512).

Protection of Passwords and Private Keys

Encrypted information is decrypted and made readable by use of a password (symmetric encryption systems) or a private key (public key or certificate-based systems). Passwords and private keys must be protected from unauthorized access or the encrypted information may also be accessible to unauthorized persons.
If passwords or private keys are stored on disk or other forms of digital media, special care must be taken to provide logical access controls (e.g. file system permissions) and/or physical security measures (e.g. key stored on flash memory in a safe) that prevent access by persons other than its intended user(s).

Protections for the Availability of Encrypted Data

If the keys, passwords, or other mechanisms used for decryption of information are forgotten, lost, or corrupted, the original information may be unrecoverable. Such an event could have a significant or severe impact on Boise State University operations if the unrecoverable information is the only source of an important institutional data set. System owners planning to use encryption in this situation must ensure availability of the original information by including encryption in their business continuity plan. This may involve secure storage of multiple keys in several locations and ensuring that multiple staff members are trained in recovery procedures are always available.

Updates

Created: January 2015

Last Update: August 2022

Next Review: February 2023