Guidelines for Data Protection - Encryption

Encryption

The following tables define baseline encryption and key management controls for protecting Institutional Data.

Encryption

ID	Control	Public	Private	Restricted
EN-1	Institutional Data transmitted over a network connection is encrypted	Optional	Recommended	Required
EN-2	Institutional Data stored on Electronic Media is encrypted	Optional	Recommended	Recommended
EN-3	Data stored on removable Electronic Media is encrypted	Optional	Recommended	Required
EN-4	Data stored on a mobile computing device is encrypted	Optional	Recommended	Required
EN-5	Remote administration of an Information System is performed over an encrypted network connection	Required	Required	Required

Key Management

ID	Control	Public	Private	Restricted
EN-6	Industry accepted algorithms are used where encryption and/or digital signing are employed	Recommended	Required	Required
EN-7	Key sizes of 128-bits or greater are used where symmetric key encryption is employed *	Recommended	Required	Required
EN-8	Key sizes of 1024-bit or greater are used where asymmetric key encryption is employed *	Recommended	Required	Required
EN-9	Keys are changed periodically where encryption is employed	Recommended	Required	Required
EN-10	Keys are revoked and/or deleted when they are no longer needed to perform a business function	Recommended	Required	Required

Supplemental Guidance

ES-7 and ES-8:  These controls establish baseline key sizes for symmetric key encryption (e.g. AES and 3DES) and asymmetric encryption (e.g. RSA and Diffie-Hellman). However industry trends illustrate a gradual movement toward larger key sizes. For example, the National Institute of Standards and Technology now requires 256-bit and 2048-bit keys for certain aspects of personal identity verification when dealing with federal information systems (see Special Publication 800-78). Data Custodians should evaluate any contractual obligations that might exist when selecting an appropriate key size.