Updated October 2024
Purpose
The System Security Encryption Guidelines provides guidance for minimum data encryption requirements for use on Boise State University computing devices. To help facilitate and manage full drive encryption, Boise State now supports Windows BitLocker and Mac FileVault 2 enterprise encryption for mobile devices such as laptops. Contact Customer Care at 426-4357 for details on deploying encryption on your device.
Workforce members that use mobile computing devices (e.g. laptops, tablet computers, PDAs, smart phones) or mobile data storage devices (e.g. floppy disks, CDs, DVDs, flash memory, portable hard drives) are responsible for the protection of the data on those devices.
Applicability
This guideline applies to all computing devices and systems at Boise State University that store restricted or confidential information.
Guideline
Workforce members that use mobile computing devices (e.g. laptops, tablet computers, PDAs, smart phones) or mobile data storage devices (e.g. CDs, DVDs, flash memory, portable hard drives) are responsible for the protection of the data on those devices. This responsibility includes the use of encryption as outlined below, whether the devices are personally owned or furnished by Boise State University.
Special Requirements for Passwords, PHI, and PII
Boise State University has identified situations involving certain classes of confidential information that have elevated risks and for which encryption is required.
Passwords
- Passwords must be encrypted during transmission over any networks.
- Passwords must be encrypted at rest on any computers, computerized devices, or digital storage systems.
Protected Health Information (PHI)
- PHI must be encrypted during transmission over networks not owned and/or operated by Boise State University or its affiliates.
- PHI must be encrypted during transmission over any wireless networks.
- PHI must be encrypted at rest on any mobile computing devices (e.g. laptops, tablet computers, PDAs, smart phones) and on any mobile data storage devices and media (e.g. CDs, DVDs, flash memory, portable hard drives).
Personally Identifiable Information (PII)
- PII must be encrypted during transmission over networks not owned and/or operated by Boise State University or its affiliates.
- PII must be encrypted during transmission over any wireless networks.
- PII must be encrypted at rest on any mobile computing devices(e.g. laptops, tablet, computers, PDAās, smart phones) and on any mobile data storage devices and media (e.g. CDās, DVDās, flash Memory, portable hard drives.)
All Other Restricted Data
- Restricted Data must be encrypted during transmission over networks not owned and/or operated by Boise State University, or itās affiliates.
- Restricted Data must be encrypted during transmission over any wireless networks.
- Restricted Data must be encrypted at rest on any mobile computing devices(e.g. laptops, tablet computers, PDAās, Smart Phones) and on any mobile data storage devices and media (e.g. CDās, DVDās, flash memory, portable hard drives).
Encryption Algorithms
Any of the recommended algorithms will provide adequate security for their intended purpose. System Owners and end users should feel free to select whichever recommended algorithms are available in the products they are using.
Recommended Encryption Algorithms
- Advanced Encryption Standard (AES) (FIPS PUB 197)
- Blowfish
- Triple Data Encryption Standard (3DES) (FIPS PUB 46-3)
- Twofish
Recommended Digital Signature Algorithms
- Digital Signature Algorithm (DSA) (FIPS 186-2 Digital Signature Standard)
- RSA (FIPS 186-2 Digital Signature Standard)
Recommended Digital Hash Algorithms
- Secure Hash Algorithm (SHA-256, SHA-384, SHA-512).
Protection of Passwords and Private Keys
Encrypted information is decrypted and made readable by use of a password (symmetric encryption systems) or a private key (public key or certificate-based systems). Passwords and private keys must be protected from unauthorized access or the encrypted information may also be accessible to unauthorized persons.
If passwords or private keys are stored on disk or other forms of digital media, special care must be taken to provide logical access controls (e.g. file system permissions) and/or physical security measures (e.g. key stored on flash memory in a safe) that prevent access by persons other than its intended user(s).
Protections for the Availability of Encrypted Data
If the keys, passwords, or other mechanisms used for decryption of information are forgotten, lost, or corrupted, the original information may be unrecoverable. Such an event could have a significant or severe impact on Boise State University operations if the unrecoverable information is the only source of an important institutional data set. System owners planning to use encryption in this situation must ensure the availability of the original information by including encryption in their business continuity plan. This may involve secure storage of multiple keys in several locations and ensuring that multiple staff members are trained in recovery procedures are always available.
Questions about this guideline should be directed to the Chief Information Security Officer at CISO@boisestate.edu or (208) 426-4127.