PURPOSE:
This Data Encryption Policy outlines the standards and procedures for encrypting Idaho College of Osteopathic Medicine (ICOM) data, both in transit and at rest. The purpose of this policy is to protect the confidentiality and integrity of sensitive institutional data from unauthorized access, disclosure, or modification. Encryption is a critical security control for safeguarding data, mitigating risks associated with data breaches, and complying with applicable legal and regulatory requirements. This policy applies to all systems and locations where institutional data is stored or transmitted.
SCOPE:
This policy applies to all institutional data classified as Restricted or Confidential as defined in the Data Classification Policy. While encryption of Internal and Public data is not mandated by this policy, it is strongly encouraged as a security best practice.
This policy applies to all locations where sensitive institutional data is stored or transmitted, including but not limited to:
- Institutionally owned devices (desktops, laptops, servers, mobile devices)
- Personally owned devices (desktops, laptops, mobile devices) when used to access institutional resources ("Bring Your Own Device" or BYOD)
- Network infrastructure (internal and external networks)
- Data centers and server rooms
- Removable media (USB drives, external hard drives, etc.)
- Approved cloud storage services
- SaaS Applications and data stored within SaaS vendor environments
- Email communications
- Web traffic
This policy applies to all individuals who handle or are responsible for sensitive institutional data, including but not limited to:
- Faculty
- Staff
- Administrators
- Students (when handling sensitive data)
- Affiliates
- Contractors
- Vendors
DEFINITIONS:
- Encryption: The process of converting data into an unreadable format (ciphertext) to protect its confidentiality. Only authorized individuals with the correct decryption key can convert the data back to its original readable form (plaintext).
- Data at Rest: Data that is stored physically on any type of storage device, such as hard drives, solid-state drives (SSDs), USB drives, tapes, or cloud storage.
- Data in Transit: Data that is being transmitted over a network, such as the internet, a local area network (LAN), or a wireless network.
- Ciphertext: The unreadable format of data after it has been encrypted.
- Plaintext: The original, readable format of data before it is encrypted or after it has been decrypted.
- Encryption Key: A secret piece of information (a string of characters or numbers) used by an encryption algorithm to encrypt and decrypt data. The security of encrypted data heavily relies on the secrecy and strength of the encryption key.
- Encryption Algorithm: A mathematical formula or procedure used to encrypt and decrypt data. Common algorithms include AES (Advanced Encryption Standard) and RSA.
- Full Disk Encryption (FDE): A security technology that encrypts the entire contents of a hard drive or other storage device.
- File-Level Encryption: Encryption that is applied to individual files or folders, allowing users to encrypt specific data while leaving other data unencrypted.
- Database Encryption: Encryption that is applied to data stored within a database management system. This can include encrypting entire databases, specific tables, or individual data fields.
- Transport Layer Security (TLS): A cryptographic protocol designed to provide communications security over a computer network. It is widely used for securing web traffic (HTTPS).
- Virtual Private Network (VPN): A technology that creates a secure and encrypted connection over a less secure network, such as the internet, often used for secure remote access.
- Key Management: The processes and procedures used to generate, store, protect, distribute, use, and destroy encryption keys throughout their lifecycle. Secure key management is essential for effective encryption.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis. Encryption within SaaS environments is often a shared responsibility.
POLICY:
Encryption Requirement for Sensitive Data: All institutional data classified as Restricted or Confidential must be encrypted, both in transit and at rest, to the greatest extent feasible and technically practical.
Data at Rest Encryption:
- Servers and Databases: Servers and databases storing Restricted or Confidential data must utilize encryption at rest. Acceptable encryption methods include full disk encryption, database encryption, file-level encryption, and industry-standard algorithms like XTS-AES 128.
- Endpoint Devices (Desktops, Laptops, Mobile Devices): Institutionally owned desktops, laptops, and mobile devices that store or access Restricted or Confidential data must utilize full disk encryption. Personally owned devices (BYOD) used to access such data should also utilize full disk encryption or equivalent measures, as feasible and practical.
- Removable Media: Restricted or Confidential data stored on removable media must be encrypted. The use of unencrypted removable media for storing or transporting Restricted or Confidential data is prohibited.
- Cloud Storage: Restricted or Confidential data stored in cloud storage services (institutional or vendor- provided) must be encrypted at rest. Utilize vendor-provided encryption features or institutional encryption solutions as appropriate.
- SaaS Applications: For SaaS applications handling Restricted or Confidential data, the institution will:
- Vendor Encryption Verification: Verify that SaaS vendors implement robust encryption at rest for data they store on behalf of the institution.
- Institution-Managed Encryption (If Possible): Where feasible and offered by the vendor, utilize institution-managed encryption key options to maintain greater control over data encryption within SaaS applications.
Data in Transit Encryption:
- Web Traffic: Web Traffic communications transmitting Restricted or Confidential data, both within the institution's network and over external networks (including the internet), must be encrypted in transit. Utilize secure protocols such as TLS/HTTPS, VPNs, and other industry-standard encryption methods.
- Email Communications: Email communications containing Restricted or Confidential data must be encrypted in transit. Utilize secure email protocols and encryption methods for sending and receiving sensitive information via email. If users are unsure whether their email is appropriately encrypted, or if appropriate email encryption is unavailable, they must use an approved secure email, file-sharing, or storage service.
- Network Access: Users must not access Restricted or Confidential data over unsecured networks, including public or untrusted Wi-Fi. When access is required, users must establish a secure, encrypted connection - such as through the college-approved VPN or enterprise web browser.
Encryption Key Management: Secure and robust encryption key management practices must be implemented for all encryption solutions. Key management procedures will address key generation, storage, access, distribution, rotation, recovery, and destruction, in accordance with security best practices and compliance requirements.
Acceptable Encryption Standards: The institution will utilize encryption technologies and algorithms that meet industry best practices and comply with relevant security standards and regulations. [e.g., XTS-AES 128, AES-256, or higher]. The Information Technology Office will maintain a list of approved encryption technologies and standards.
POLICY EXCEPTIONS:
Exceptions to this Data Encryption Policy may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification, risk assessment, and compensating security controls documented and implemented. Exceptions should be rare and subject to periodic review.
ENFORCEMENT:
Enforcement of this Data Encryption Policy is the responsibility of all managers, supervisors, data custodians, system administrators, and data users, under the overall direction of the Chief Information Officer. Violations of this policy, particularly those that result in the unauthorized disclosure of sensitive data due to lack of encryption, may result in disciplinary actions, up to and including termination of employment or access privileges, and potential legal or financial consequences. The Information Technology Office will monitor compliance with this policy and investigate reported violations or encryption incidents.
POLICY REVIEW AND UPDATES:
This Data Encryption Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, encryption standards, regulations, institutional risk assessments, business needs, or best practices in data security. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual