Purpose

Encryption is the process of converting plain text data into a form not readable by humans (e.g., ciphertext) using a mathematical process (encryption algorithm) and a parameter (encryption key).  Encryption can be an effective information protection control when it is necessary to store or transmit sensitive university data.

Supporting Policy

Cybersecurity Policy

Scope

This standard applies to all of OU’s networks, systems, and other information assets to ensure the proper controls are in place for the confidentiality, integrity, and availability of our data. These critical assets must be managed and controlled to protect OU from loss due to misuse, disclosure, fraud, or destruction.

Standard

This Encryption Standard provides guidance to protect assets, such as computers, portable devices, communication networks and their sensitive data that may reside in such devices or networks from unauthorized access by employing encryption technologies.

Procedures

Desktop Encryption

1. Desktops storing Category A, B, C, or D1 data must use OU-managed whole disk encryption.
   1. Use the OU-managed whole disk encryption tool to use BitLocker’s AES-128 encryption with a 256-bit key.
   2. Use the OU-managed whole disk encryption tool to use FileVault’s XTS-AES-128 encryption with a 256-bit key.
   3. Recovery keys must be stored in the OU-managed encryption management server.

Laptop Encryption

1. All university-owned laptops must use OU-managed whole disk encryption.
   1. Use the OU-managed whole disk encryption tool to use BitLocker’s AES-128 encryption with a 256-bit key.
   2. Use the OU-managed whole disk encryption tool to use FileVault’s XTS-AES-128 encryption with a 256-bit key.
   3. Recovery keys must be stored in the OU-managed encryption management server.
2. All Health Sciences Center Student laptops must use whole disk encryption.
   1. Use FileVault’s XTX-AES-128 encryption with a 256-bit key.
   2. Use BitLocker’s AES-128 encryption with a 256-bit key.
   3. Register the use of Student laptops using the Student Laptop Registration form.

Removable Media Encryption

1. Removable media and portable media devices storing Category A, B, C, or E data must use OU managed encryption services provided through the OU Device Management and Endpoint Protector applications.  The OU managed encryption services use AES-256 CBC-mode encryption.
2. Removable media and portable media devices storing Category D1 data must be encrypted with FIPS 140-2 compliant algorithms.
3. Removable media and portable media devices storing Category D2 data should be encrypted.

Cloud Service Encryption

1. Use modern Secure Sockets Layer (SSL), Transport Layer Security (TLS) version 1.2 or higher, or their equivalent cryptographic protocols for authenticating and establishing identities and maintaining encrypted communications for web applications. 
2. Weak protocols (SSL version 3 or below and TLS 1.1 or lower) should be prohibited or disabled.
3. Category A, B, C, D1 or E data transmitted between an application server and a database should be encrypted.
4. Databases storing Category A, B, C, D1, or E data should use whole disk encryption or features native to the database server software that allow for encryption of the whole disk, specific tables, or columns of a database.
5. Data contained in backups and/or archive copies must be encrypted.

Web Application Encryption

1. Use modern Secure Sockets Layer (SSL), Transport Layer Security (TLS) version 1.2 or higher, or their equivalent cryptographic protocols for authenticating and establishing identities and maintaining encrypted communications for web applications. 
2. Weak protocols (SSL version 3 or below and TLS 1.1 or lower) should be prohibited or disabled.

File Transfers Encryption

1. Use encrypted protocols for secure file transfers (e.g., scp, sftp, etc.) or by encrypting the file before transmitting.

Email Encryption

1. Use OU Secure Email to encrypt emails with sensitive information by typing [SECURE] or [OUENCRYPT] in the subject line.

Printer Encryption

1. Use JetDirect applications or Internet Printing Protocol (IPP) to prevent unauthorized network interception to network printers when printing Category A, B, C, D1, or E data.

Site-to-Site Virtual Private Network (VPN) Encryption

Choose the strongest authentication and encryption algorithms Site-to-Site VPN peers can support. 

1. For the authentication algorithm, use RSA, DSA, or ECDSA with at least 128-bit security strength. Do not use SHA-1, MD5 or none.
2. For the encryption algorithm, use AES-GCM, AES-CTR, AES-CBC, AES-CCM with 128, 192, or 256-bit keys.    Do not use DES or 3DES.
3. Key exchanges must use NIST recommended algorithms and options:
   1. All modes of IKE version 2.
   2. Main Mode, Quick Mode options of IKE version 1.
   3. Diffie Hellman groups 14 through 21.
4. For Integrity/Pseudorandom Function (PRF) use HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.

Virtual Private Network (VPN) Encryption

1. Use encrypted IPsec transmission protocols for VPN tunnels.
2. Encrypt VPN tunnels using FIPS 140-2 or higher encryption, where feasible.
3. When using a certificate for securing remote access VPNs, the certificate used to secure remote access must meet the following criteria:
   1. The certificate must be from a trusted source.
   2. The certificate must have a valid date and should not be expired.
   3. The key length used to encrypt the certificate should be 2048 bits or more.
   4. The hash used to sign the certificate should be SHA-2 or better.
   5. When the certificate is applied, the TLS version should be 1.1 or higher (1.2 is recommended).

Secure Shell (SSH) Encryption

1. Use of SSH must only be permitted after successful authentication to the OU VPN.
2. Use public key authentication with recommended encryption algorithms.
3. Use a strong passphrase that aligns with the OU IT Password Policy when generating and SSH key pair.
4. Write public keys to a protected location (protected network share, local storage on a trusted machine, department encrypted USB drive).

Wireless Network Encryption

1. Use WPA 2 protocols to encrypt wireless network communications.

Data or Database Encryption

1. Category A, B, C, D1, or E data transmitted between an application server and a database should be encrypted.
2. Databases storing Category A, B, C, D1, or E data should use whole disk encryption or features native to the database server software that allow for encryption of the whole disk, specific tables, or columns of a database.
3. Data contained in backups and/or archive copies must be encrypted.

Encryption Algorithms

1. Where digital signature encryption services are used, acceptable algorithms include:
   1. RSA (minimum 2048 bit) with SHA-2 (Max 3072 bit)
2. Digital certificates shall apply recognized standards (X.509) and shall at least:
   1. Identify the issuing certificate authority and be authorized by OU IT or strictly designated for internal usage.
   2. Identify its subscriber.
   3. Provide the subscriber’s public key.
   4. Identify its operational period.
   5. Be digitally signed by the issuing certificate authority.

Encryption Keys

1. When not using OU managed encryption services with encryption key escrow services, always keep the private key stored somewhere secure. 
2. Ensure that private keys (for SSH, web server certificates, etc.) have read-only permissions to key owners or processes that need to access them.  Use vendor-recommended best practices to protect keys when implementing encryption in the cloud.
3. Do not write down keys on paper. 
1. Use a university-managed password manager for storing SSH keys.
2. Use a FIPS 140-2 or higher compliant USB drive for storing Category D1 (CUI/ITAR) keys.
3. Use the OU IT Password Vault to store data center server keys. 
   4. Review and update a cryptographic key management plan annually.
   5. Document the implementation details of all algorithms, protocols, and keys used for the protection of data, including key strength and expiry date.
   6. Store key-encrypting keys and data-encrypting keys in different locations, where possible.
   7. Change the encryption key from the default setting during installation.
   8. Change encryption keys when someone with access to the key changes job responsibilities or terminates employment.
   9. Do not hard-code keys into software.
   10. Limit keys to a single, specific purpose.
   11. Recovery of encryption keys should be part of IT disaster recovery planning except for data used by a single individual (e.g., an individual faculty member’s grade book working copy).
   12. Where symmetric encryption keys are used:
       1. Keys shall be randomly generated according to industry standards.
       2. Master keys shall be changed at least once per year.
       3. Key encrypting keys shall be changed at a minimum of twice per year.
   13. Where asymmetric encryption is used, the operational period of asymmetric keys associated with a public key certificate are defined by the encryption key management plan of the issuing certificate authority.

References

• Information Classification Standard
• OU Password Policy
• Remote Access Policy
• National Institute of Standards and Technology Cybersecurity Framework (CSF), PR.DS-1, PR.DS-2
• National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information: 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.13.3
• Health Insurance Portability and Accountability Act of 1996 (HIPAA), Security Rule §164.308(a)(3), §164.308(a)(4), §164.310(a)(2)(iii), §164.310(b), §164.312(a)(1), §164.312(a)(2)(i), §164.312(a)(2)(ii)
• National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Federal Information Systems, AC-5, AC-6
• National Institute of Standards and Technology Special Publication 800-77 Revision 1
• Payment Card Industry (PCI) Data Security Standards
• National Security Agency/ Central Security Service DAR CNSA 2/DAR 4.8
• Federal Information Processing Standards (FIPS) Publication 186-4 / 140-2