RUL - 70.00.12 Encryption Controls

1. Purpose

The purpose of this rule is to ensure that efforts to keep university resources secure using encryption controls are conducted in a manner that preserves the confidentiality, integrity, and authenticity of the information.

Encryption should be used in conjunction with other data protection controls, such as access control, strong passwords, authentication, and authorization.

Federal or state regulations or contractual agreements may require additional actions that exceed those included in this rule.

2. Scope

 This rule applies to:

• All faculty, staff, students, contractors, and other authorized users who access, transmit, store, or otherwise process University data or systems.
• All University-owned or managed devices and services (including servers, desktops, laptops, tablets, smartphones, cloud services, and removable media).
• All University data classified under the REG 70.00.2 – Data and Information Regulation as Confidential, Restricted, or otherwise requiring protection.

3. Roles and Responsibilities

• Information Technology Services (ITS) Security: Develops, publishes, and maintains encryption standards; manages encryption tools and key management; reviews and approves exceptions.
• System Administrators and Device Owners: Implement encryption controls, manage encryption keys, and maintain audit records.
• End Users: Use only University-approved encryption methods when handling sensitive data, and report suspected incidents promptly.

4. Encryption Requirements

4.1 Encryption at Rest

• All portable and mobile devices that store University data must use full-disk encryption (FDE) approved by ITS Security.
• Servers and data storage systems containing restricted or confidential data must use encryption at the disk, folder, or database level.
• Alternate encryption products may be used only if reviewed and approved by ITS Security, with proper documentation of key management and recovery plans.
• Encryption complements but does not replace authentication, backups, or access controls.

4.2 Encryption in Transit

• Transmission of restricted or confidential data over non-University networks must use secure, encrypted channels (e.g., TLS 1.2+, VPN, or SFTP).
• Email or file transfers containing sensitive data outside the University network must use approved encryption or secure delivery systems.
• Remote or mobile access to University systems must employ encrypted connections and multi-factor authentication.

4.3 Key Management and Access Controls

• Encryption keys must be securely generated, stored, rotated, revoked, and retired per ITS guidelines.
• Keys must be protected against unauthorized access and never shared among users.
• Key management and recovery processes must be documented and reviewed periodically.

4.4 Exceptions and Compensating Controls

• Exceptions must be formally requested through ITS Security and include justification, risk assessment, and compensation controls.
• Approved exceptions will be reviewed periodically and maintained in a central exception log.

4.5 Verification and Monitoring

• ITS Security will perform periodic audits to verify encryption compliance.
• Units must ensure all University-owned devices and systems are encrypted and properly configured before deployment.
• Non-compliance will require immediate remediation and may result in disciplinary action or access restrictions.

5. Enforcement

Violation of this rule may result in disciplinary action, suspension of access privileges, or other administrative measures consistent with University policy. The University reserves the right to restrict or deny device and network access to protect institutional data.

6. Related Policies & Regulations

• POL 70.00.1 – Information Security Policy
• REG 70.00.2 – Data and Information Regulation
• REG 70.00.4 – Responsible Use Regulation
• RUL 70.00.8 – Vulnerability Management Rule
• REG 70.00.5 – Electronic Mail (E-mail) Regulation
• Network Security Regulation