IS11: Encryption Policy
This Policy sets out the additional principles, expectations and requirements for how and when information should be encrypted to protect ‘protected’ and ‘restricted’ information transmitted over data networks to protect against risks of interception.
Policy Introduction and Purpose
This Encryption Policy is a sub-policy of the University’s Information Security Policy (IS01).
It sets out the additional principles, expectations and requirements of how and when information should be encrypted.
Scope and Definitions
This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.
Definition
Encryption is the process of encoding (or scrambling) information such that it is unreadable and can only be converted back to its original form (decrypted) by someone who (or something which) possesses the correct decoding key.
A glossary of the terms used throughout the Policy can be found in our Information Management Glossary.
This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.
Responsibilities
Policy Responsibilities
The CIDO has the accountability to ensure that this policy is implemented, monitored and reviewed regularly.
All staff have a responsibility to operate compliantly with this policy.
Operational Responsibilities
Role | Function |
---|---|
Digital Strategy Group representative | Responsible |
Head of Department | Accountable |
Chief Information and Transformation Officer Data Protection Officer |
Consult |
University Information Management Committee representative | Inform |
Principles of the Policy
When to Use Encryption
Encryption must always be used to protect ‘protected’ and ‘restricted’ information transmitted over data networks to protect against risks of interception. This includes when accessing network services which require authentication (for example, usernames and passwords) or when otherwise sending or accessing protected and restricted information (for example, in emails).
It is advisable to encrypt ‘restricted’ data when it is being stored to protect against theft or unauthorised access.
Where non-public data is stored on or accessed from an end-user device (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders), the devices themselves must, where possible, be encrypted (using ‘full disk’ encryption), irrespective of device ownership.
Where data is subject to an agreement with an external organisation, the data should be handled (stored, transmitted or processed) in accordance with the University’s encryption requirements – process, data or system owners utilizing such arrangements must satisfy themselves that the processing organisation has appropriate encryption arrangements in place.
Enabling Encryption
Encryption is a powerful security mechanism, but improper implementation can lead to data loss risks. It is strongly recommended therefore that standard University-provided encryption services and tools are used.
Users in any doubt as to how to enable or manage encryption for their data or on their devices should contact IT Services for advice.
Encryption Standards
There are many different encryption standards available. Only those which have been subject to substantial public review and which have proven to be effective should be used. Specific guidance is available from IT Services and the University's Information Security website.
Where encryption is required, the standard University services should be used. Where alternative or local services are used then they must be documented and approved by the Chief Information and Transformation Officer (CITO).
Key Management
In all cases encryption keys (commonly in the form of a password or passphrase) must be stored and managed in a secure, retrievable manner. Loss of the encryption key can result in the encrypted data effectively being irretrievably lost. Data and devices encrypted using the standard University services have effective key management mechanisms.
Advice on travel and border/customs
Export regulations relating to cryptography (encryption) are complex, but so long as the encryption software used to encrypt a device or file is considered to be a "mass market" product it is unlikely that you will encounter any problems leaving or re-entering the UK.
You may be required to decrypt any devices or files by UK authorities on leaving, entering or re-entering the country. If you are requested to decrypt your files or devices you are advised to do so.
Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes a provision whereby certain "public authorities" (including, but not limited to law enforcement agencies) can require the decryption of devices or files. Failure to comply with such a lawful request is a criminal offence in the UK.
Considering these requirements, you must not travel with Restricted data stored on a device, without the consent of both the asset owner and the CIDO. The university can make provision for you to access such information remotely.
Travelling abroad
In addition to what has been written above about export regulations, you should also be aware that government agencies in any country may require you to decrypt your devices or files on entry or exit from the country. If you are travelling abroad with encrypted confidential data, this means that there is a risk that the data may have to be disclosed and you should consider the consequences of this.
Wherever possible, do not take restricted data with you when you travel (keep the data at the University and access it using the University's secure, remote access facilities).
Particular attention should be paid to the possible inadvertent export of data subject to the Data Protection Act to countries outside of the EEA (or the few other countries deemed to have adequate levels of protection) when travelling. (See Data Protection Policy for more information, IG02).
Considering these requirements, you must not travel with Restricted Secret data stored on a personal device, without the consent of both the asset owner and the CIDO. The university can make provision for you to access such information remotely.
Network and IT Systems Monitoring
The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated systems. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).
Where devices or systems do not comply with this policy then they may be disabled or access to University resources blocked.
The University provides standard services for the acquisition, management and disposal of devices that satisfy the requirements of this policy. Individuals must use such services wherever possible. If, for any reason, such standard services cannot be used then suitable alternatives must be documented and approved by the CIDO.
Exemptions
‘Exemption requests’ under this policy must be submitted to the CIDO or their designate. Exemptions to this policy may only be granted by the CIDO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CIDO must be notified.
This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.
Compliance Monitoring
Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:
- Information and Data breaches due to nonconformities to this policy.
- Requests, and those requests accepted, to travel with restricted-secret data on a device.
- Exemption requests and granting of exemptions.
Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee.
A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.