File code: TECH.ENCRYPTION.POL
Approval Date: 4/29/2009
Approved By: President
Proven, standard algorithms should be used as the basis for encryption technologies. The use of proprietary encryption algorithms is not allowed for any purpose. Symmetric cryptosystem key lengths must be at least 128 bits (256-bit is recommended). Asymmetric crypto-system keys must be of a length that yields equivalent strength. WIU’s key length requirements will be reviewed annually and upgraded as technology allows.
Note: Be aware that the export of encryption technologies may be restricted by the U.S. government. Residents of countries other than the United States should make themselves aware of the encryption laws of the country in which they reside.
Note: Be aware that while travelling outside the U.S. you may be required to provide your encryption keys or password. Best practice states that you should never travel with sensitive data but if you must access sensitive data while travelling download it via VPN at your destination and delete the local copy before continuing your trip.
Additional encryption requirements for devices or media hosting sensitive data
Proper use of sensitive data begins by evaluating business processes for the need to take in or store sensitive data and if indeed it is needed ensure that appropriate protection (obfuscation, masking, one-way hash, encryption, etc.) is applied throughout the data lifecycle. Sensitive data must never exist on University computers unprotected.
It is recommended that University owned or managed computers storing sensitive data employ full disk encryption with an approved software or hardware encryption solution. Additionally, WIU recommends the deployment of software to assist in the recovery or remote wiping of University computers.
PDAs, Cell phones and removable media
Any device or media with memory or that can be used to transport data (such as but not limited to tapes, CDs, DVDs, diskettes, thumb drives, memory sticks, PDAs, cell phones, printers, fax machines, MP3 devices, digital cameras, etc.) must never hold sensitive data or must be protected (obfuscation, masking, one-way hash, encryption, etc.) and must be properly disposed.