Longwood University
Chief InformationOfficer:
Information and Instructional Technology
Services
201 High
Street, Coyner 107, Farmville, VA 23909
Phone:
434.395.2034 Fax:
434.395.2035
|
|
Longwood University |
Policy
6103
ENCRYPTION POLICY
I. PURPOSE
The purpose of this policy is to limit the use of
encryption to those algorithms that have received substantial public review and
have been proven to work effectively and to identify federal exportation
regulations regarding encryption technologies.
II. DEFINITIONS
A. Proprietary Encryption: An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual or the government.
B. Encryption Key: A string of characters used to encode data with a cryptographic algorithm or to decode data that has been encoded by a cryptographic algorithm.
C. Symmetric Cryptosystem: A method of encryption in which the same key is used for both encryption and decryption of the data.
D. Asymmetric Cryptosystem: A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).
E. One-way Hash Function: An algorithm that does not require a key and produces an irreversibly encrypted cipher-text. Other names for this are message digest, fingerprint, digital signature and compression function.
III. POLICY
A. Encryption Standards:
1. Approval, Distribution and Management of Encryption Technology:
a. The Chief Information Officer (CIO) will approve all encryption technology used on University information
technology (IT) resources and systems.
b. Information and Instructional Technology Services (IITS) will distribute and manage all encryption keys.
c. All use of encryption technology must be managed in a manner that permits properly designated University
officials prompt access to all data, including for purposes of investigation and business continuity.
d. No encryption technology other than that approved, managed and distributed by IITS may be used on
University IT resources or systems.
2. Minimum Encryption Standards:
a. IITS will set minimum requirements for encryption used on University IT resources and systems.
b. Proven, standard algorithms should be used as the basis for encryption technologies used by the University.
These algorithms represent the actual cipher used for an approved application.
c. The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified
experts outside of the vendor in question and approved by the Information Security Office.
B. Acknowledgement of Federal Exportation Regulations:
Be aware that the export of encryption technologies is restricted by the U.S. Government. Devices with
encryption technology permanently installed may not be taken outside of the United States. Residents of countries
other than the United States should make themselves aware of the encryption technology laws of the country in
which they reside.
IV. ENFORCEMENT
The University regards any violation of this
policy as a serious offense. Violators of this policy are subject to
disciplinary action, in addition to possible cancellation of IT resources and
systems access privileges. Users of IT resources and systems at Longwood are
subject to all applicable local, state and federal statutes. This policy
does not preclude prosecution of criminal and civil cases under relevant local,
state, federal and international laws and regulations.
Approved by the Board of Visitors, March 20, 2004.
Revised, April 1, 2005.
Revised and approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, September 12, 2008.
Revised and approved by the Board of Visitors, March 27, 2009.