Guidelines for Data Protection - Encryption
Encryption
The following tables define baseline encryption and key management controls for protecting Institutional Data.
Encryption
ID |
Control |
Public |
Private |
Restricted |
EN-1 |
Institutional Data transmitted over a network connection is encrypted |
Optional |
Recommended |
Required |
EN-2 |
Institutional Data stored on Electronic Media is encrypted |
Optional |
Recommended |
Recommended |
EN-3 |
Data stored on removable Electronic Media is encrypted |
Optional |
Recommended |
Required |
EN-4 |
Data stored on a mobile computing device is encrypted |
Optional |
Recommended |
Required |
EN-5 |
Remote administration of an Information System is performed over an encrypted network connection |
Required |
Required |
Required |
Key Management
ID |
Control |
Public |
Private |
Restricted |
EN-6 |
Industry accepted algorithms are used where encryption and/or digital signing are employed |
Recommended |
Required |
Required |
EN-7 |
Key sizes of 128-bits or greater are used where symmetric key encryption is employed * |
Recommended |
Required |
Required |
EN-8 |
Key sizes of 1024-bit or greater are used where asymmetric key encryption is employed * |
Recommended |
Required |
Required |
EN-9 |
Keys are changed periodically where encryption is employed |
Recommended |
Required |
Required |
EN-10 |
Keys are revoked and/or deleted when they are no longer needed to perform a business function |
Recommended |
Required |
Required |
Supplemental Guidance
ES-7 and ES-8: These controls establish baseline key sizes for symmetric key encryption (e.g. AES and 3DES) and asymmetric encryption (e.g. RSA and Diffie-Hellman). However industry trends illustrate a gradual movement toward larger key sizes. For example, the National Institute of Standards and Technology now requires 256-bit and 2048-bit keys for certain aspects of personal identity verification when dealing with federal information systems (see
Special Publication 800-78). Data Custodians should evaluate any contractual obligations that might exist when selecting an appropriate key size.