Information Security Encryption Policy

Version Number: 1.1
Document Status: Approved
Date Approved: 28 July 2017
Approved By: Senior Information Risk Owner
Effective Date: 1 August 2017
Date of Next Review: 1 August 2019

 

 

 

 

 

 

1        Purpose of the Policy

This policy is intended to establish the requirements for the application of encryption to data and equipment as a means of protecting the confidentiality, integrity and availability of the University’s information assets.  It also sets out any relevant standards which those controls must meet.

2        Scope

2.1     The policy covers the application of encryption to University Information Asset Equipment (see Definitions below) and/or information categorised as Classified (Confidential and Highly Confidential) under the University’s Information Classification.

3        Relationship with existing policies

This policy forms part of the Information Security Management Framework.  It should be read in conjunction with the Information Security Policy and its supporting policies, specifically, the Information Classification and Handling Policy, the IT Security Baseline Controls Policy and the Remote and Mobile Working Information Security Policy.

4        Policy Statement

In order to mitigate the risk of disclosure or tampering with Classified Information through interception, loss or theft of data or equipment, the University shall deploy appropriate cryptographic security controls in conjunction with procedures that manage the associated encryption keys.

Where valid business reasons exist, exceptions to this policy can be signed off by Heads of Schools/Departments/Colleges using the Exception Form.

5        Policy

 5.1     Information

University Classified Information shall normally be created and stored within a University managed secured system, as per the University’s Information Handling Procedures.

However, when University Classified Information is transmitted outside such a secure system, it shall be encrypted in transit.  Encryption in transit may include encrypting a file sent via email, encrypting a portable hard disk being used to transfer data or the use of encrypted transmission protocols such as SSL.

5.2     Devices

When a device is capable of device encryption and recovery keys can be safely made available to the University, it is required that device encryption be applied.

5.2.1  University Owned Laptops

From the effective date of this policy, all University owned laptops shall be encrypted using full disk encryption.

The University recognises that certain devices may be frequently cleared of Classified Information, and that these may be good candidates for an approved exception from the policy.  Examples of such devices may include laptops used for examination purposes that are frequently re-imaged via existing well managed processes. The University requires the ability to decrypt a device in order to recover any information held upon it if necessary.  The University’s central encryption solutions shall therefore manage any keys, passphrases or other secrets (for example, hardware tokens) necessary to recover data from encrypted devices.

In order to meet this policy, the encryption solution used to encrypt laptops shall be one of the University’s approved solutions as set out in Schedule A.

5.2.2  Personally Owned Laptops

Personally owned laptops will not necessarily have security features enabled equivalent to managed University owned laptops.  In addition they are likely to be used by a number of users, not all of whom may be University workers and they are likely to be passed on to other family members, sold privately or recycled.  In addition, being portable, they are at risk of being lost or stolen. As such these machines pose a high risk to the security of information they store.

In accordance with the Information Handling Procedures, workers shall not create or store Classified Information on personally owned laptops, including via the use of file synchronisation tools.  Non-classified information shall not be stored on the device unless a copy is also stored in a University owned system.

The University recognises that certain applications such as email or file synchronisation may automatically download information without a worker’s explicit action and therefore when such tools are used on personally owned laptops then encryption methods in line with those set out in Schedule A shall be applied.  In addition the worker must ensure that the laptop is protected in line with the IT Security Baseline Controls Policy.

The worker handling University Information takes full responsibility for the application of the required security controls and for ensuring that the information is secure throughout its lifecycle, which will include ensuring the device is securely wiped of University Information before disposal.

5.2.3  Smartphones and Tablets

All smartphones, tablets or other smart devices used for work purposes (regardless of ownership) shall be encrypted. In order to meet this policy requirement smartphones and tablets must meet the minimum technical specifications as set out in Schedule A.

Connecting to Office 365 on a smartphone or tablet via the University recommended process (which uses Exchange Active Sync) will enforce the application of encryption on the device and is the recommended means of enabling such encryption. Other mandatory security controls applied via Exchange Active Sync are listed in the IT Security Baseline Controls Policy.

5.2.4 Other Portable Devices

Particular care must be taken with the physical security of other portable devices with less inherent security features, such as digital cameras, external hard disks, USB sticks and recording devices.

Where device encryption is available it should be used and the relevant recovery passphrases or keys securely stored on the University’s network.

The use of these devices should be avoided for Classified Information where possible, but if they are required to collect Classified Information that information shall not be stored on the device beyond the minimum length of time required to transfer that data to a secure location such as a secure laptop or on the University’s network.  Whilst the device holds Classified Information that information must be protected either with device encryption or file encryption.  All records of the Classified Information shall be securely deleted from the device immediately after successful transfer and the device must be disposed of securely when no longer required by the University.

5.2.5 Portable Devices used for Backup

Particular care must be taken with the physical security of other portable devices with less inherent security features, such as external hard disks which are used for long term storage, backup or archival purposes.

Where device encryption is available it should be used and the relevant recovery passphrases or keys securely stored on the University’s network.

Whilst the device holds Classified Information that information must be protected either with device encryption or file encryption and the device must be disposed of securely when no longer required by the University.

5.2.6 Other Devices

Where other Information Asset Equipment, such as a printer, is not able to have encryption applied, that equipment shall still be managed in line with the IT Security Baseline Controls Policy and the Disposal Policy.

5.3     Computer Workstations

5.3.1  University Managed Computer Workstations

University owned workstations that run the managed workstation service image(s) provide a secure environment in line with the controls specified in the IT Security Baseline Controls Policy.  These images will be extended over time to transparently apply device encryption and when this is in place it shall not be deliberately circumvented.

5.3.2  University non-Managed Computer Workstations

University owned workstations are licensed for the use of Sophos Safeguard for device encryption and it, or equivalent software providing device encryption and key recovery facilities, must be used.  Costs associated with the use of other software must be borne by the department.

5.3.3  Personally owned computer workstations

Personally owned workstations (i.e. desktop PCs and Macs) will not necessarily have security features enabled equivalent to managed University owned workstations.  In addition they are likely to be used by a number of users, not all of whom may be University workers and they are likely to be passed on to other family members, sold privately or recycled.  In addition, being located in a domestic setting they are at higher risk of being stolen.  As such these machines pose a high risk to the security of information they store.

In accordance with the Information Handling Procedures, workers shall not create or store Classified Information on personally owned workstations, including via the use of file synchronisation tools.  Non-classified information shall not be stored on the device unless a copy is also stored in a University owned system.

The University recognises that certain applications such as email or file synchronisation may automatically download information without a worker’s explicit action and therefore when such tools are used on personally owned workstations then encryption methods in line with those set out in Schedule A shall be applied.  In addition the worker must ensure that the workstation is protected in line with the IT Security Baseline Controls Policy.

The worker handling University Information takes full responsibility for the application of the required security controls and for ensuring that the information is secure throughout its lifecycle, which will include ensuring the device is securely wiped of University Information before disposal.

5.4     File Synchronisation and Sharing Tools

Workers must not put Classified Information at risk of compromise of confidentiality or critical University information at risk of loss through the use of non-secure tools and methods (such as non-approved third party services) and/or personally owned email accounts.  In particular, workers shall ensure that the use of any file synchronisation and sharing tool (for example, Dropbox, Google Drive) to support remote or mobile working is compliant with the Information Classification and Handling Procedures.

File-level encryption shall be applied to University Classified Information that is stored in external services. Keys, passphrases or other secrets must be made available to the University by secure means such that the University is able to recover the information if required.

The currently approved University tools are defined in the Information Handling Procedures.

5.5     Enhanced security requirements

The University recognises that specific research groups/centres may have enhanced requirements as a result of the information security requirements of their external partners.  The University’s Information Security team will advise on the introduction of enhanced measures for specific groups and will support a number of specific information security services as advertised on the IT Services pages.

5.6     Third parties

Where third parties are handling University Information, they shall apply controls equivalent to those applicable to University managed devices.

6        Responsibilities

Responsibility for reviewing the specific sets of controls to support this policy lies with the Chief Information Officer (CIO) – University IT as part of the Information Security Framework Annual Review, taking account of changes in the internal and external environments and the University’s risk appetite.

Heads of Schools/Departments/Colleges are responsible for ensuring that School/Department/College purchases meet the relevant specifications as set out in the Schedules.  Where this is not acceptable for valid business reasons then Heads are responsible for signing off exceptions using the Exceptions Form. Heads of School/Department/College are also responsible for ensuring that staff are aware of the need to adhere to this policy and report non-compliance via the defined and approved channels.

Individual workers are responsible for adhering to the information security framework policies and following the Information Classification and Handling Procedures.  Where the policy requirements are reliant on individual workers taking steps to secure the information they are handling the individual member of workers will be personally accountable and liable for failing to follow the required policy, procedure or process.  Individual workers are responsible for ensuring that any shortfalls in cryptographic controls are reported promptly to their line manager and (where an incident has occurred) to IT Service Desk.

7        Compliance

Breaches of this policy may be treated as a disciplinary matter dealt with under the University’s staff disciplinary polices or the Student Disciplinary Code as appropriate. Where third parties are involved breach of this policy may also constitute breach of contract.

Definitions

Information Asset Equipment: Covers the following University owned items of equipment: computers, servers, laptops, tablets, mobile phones, solid state drives, external hard drives, server/computer backups on tape or disk, USB sticks, scanners, printers and CDs/DVDs.

Classified Information: Information that is confidential, highly confidential or requires enhanced protection to ensure integrity or availability due to its nature.  A detailed breakdown of the University’s confidentiality classification system can be found in the University’s Information Classification document.

SCHEDULE A – Encryption Specifications and Required Controls

University Owned Laptop and Workstation Security Controls

University owned laptops and workstations shall be encrypted using the University’s enterprise solution:

  • Sophos Safeguard (including Apple File Vault 2 managed by Safeguard)
  • Symantec PGP (for Linux or where there is a requirement for an HMG certified encryption product)

This allows for key recovery in the event that the user forgets the password and also remote wipe of the device in the event that the device is lost or stolen.

Where any of the above controls cannot be adhered to for valid business reasons this shall be authorised by the relevant Head of School/Department using form x and a copy sent to the IT Security team.

Access to, and advice on, the most appropriate encryption software and the necessary minimum technical computer specifications is available via IT Services.

Note: the availability of the encryption solution for managed workstations is currently under development and will be rolled out during 2016/2017.

Personally Owned Laptop and Workstation Security Controls

Access to, and advice on, the most appropriate encryption software is available via IT Services.

The University is not able to provide licenses for the use of such software on personally owned devices and the worker must ensure that they comply with licensing conditions.

All Smartphones and Tablets Basic Specification

Any smartphone or tablet intended for use for work shall be capable of being encrypted.  The versions of common software which will support this are:

  • iOS 8 and upwards on iPhone 4 GS and later models
  • Windows Phone 7 and later models
  • Blackberry all versions
  • Android 4.4 and later