Defining the University’s approach to using cryptography
This control procedure defines the University’s approach to communications security, and directly supports the following policy statement from the Information Security Policy:
The University will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems.
This procedure is intended to be read and understood by any users accessing University information, IT systems, networks or software using any University or personally owned device, where there is a need to apply additional controls to protect data at rest or data in transit.
The purpose of this policy is to provide guidance:
Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise. Keys need to be communicated by reliable and secure methods and kept confidential.
Key generation must be seeded from an industry standard random number generator (RNG).
Where user-generated passwords are required to decrypt data – either as the key or as input to a key derivation function – these should follow the University’s Control Procedure for Password Management. It is important that local procedures are put in place to ensure that passwords used to encrypt devices are communicated to teams on a need to know basis, so that if an individual leaves the University access can still be gained to the University’s data.
All University managed computers require encryption for the protection of vulnerable and sensitive data. Computers running Microsoft Windows will use Bitlocker drive encryption. Access to the list of the keys in the Active Directory is restricted to the Server Management Team. Computers running alternative operating systems will have native encryption enabled where available.
Mobile devices synchronising email with the University email system must be forced to use encryption by the Active Sync settings pushed to the device.
Devices not under University management should have encryption enabled where possible at the user's discretion, but the University reserves the right to restrict devices from the network or defined network resources where they do not meet these and other security requirements.
University managed databases will have Transparent Database Encryption enabled by default unless an exception has been agreed with the Assistant Director, Information Security. As newer versions of database technology include more native encryption options, these should be enabled by default unless an exception has been agreed with the Assistant Director, Information Security.
Sensitive information shall only be removed from the University network with adequate protection, in line with the Information Classification Scheme. Tools for protecting information are offered by ISDS, including built-in encryption in Microsoft Office products, 7-Zip for file an folder encryption, encrypted USB devices, and use of Egress Switch for email encryption or Criminal Justice Secure Mail (CJSM) for email encryption to secure Government and public sector networks. Further information is available from ISDS.
Facilities for connection to the University’s IT systems and services via networks not fully within the control of the organisation’s security management (such as the internet or wireless access), will be secured according to the standards in this procedure.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.