1. Purpose

    To ensure proper and effective use of cryptography to protect the confidentiality and integrity of data owned or managed by Winston-Salem State University (WSSU). Confidential information must be encrypted by the use of valid encryption processes for data at rest and in motion as required by state or federal statute or regulation. This includes but is not limited to confidential information stored on mobile devices, removable drives, and laptop computers.
  2. Cryptographic controls
    1. Confidential information transmitted over a public network must be encrypted.
    2. Confidential information stored in a public location that is directly accessible without compensating controls in place must be encrypted.
    3. Storing confidential information on portable devices is discouraged.
    4. Confidential information must be encrypted if copied to or stored on a portable computing device, removable media, or non-university owned computing device.
    5. In instances where no technology exists to encrypt a device, compensating electronic controls must be implemented to secure the device.
    6. Encryption of a device must be documented and verifiable.
    7. Information systems will obtain and issue public key, and Secure Socket Layer (SSL) certificates from an approved service provider. This control focuses on certificates with visibility external to the information system and does not include certificates related to internal system operations, for example, application‐specific time services.
    8. Encryption keys must be managed in a secure environment.
      1. Key management and establishment will be performed using automated mechanisms with supporting manual procedures.
      2. Keys should be securely distributed and stored.
      3. Access to keys should be restricted only to individuals who have a business need to access them.
      4. All access to keys requires authorization and should be documented.
  3. Institutional and Personal Mobile Devices

    WSSU OIT must encrypt institutionally-owned mobile devices. If a device is not capable of encryption, no Category I data may be stored on the device, to also include personally owned mobile devices.