Encryption

Default Protection Not Provided

• The Internet and other public networks do not provide inherent protection against wiretapping or unauthorized access.
• Users must actively enable encryption to protect sensitive information.
• Cellular or mobile phones should not store or discuss Sensitive (Confidential or Restricted) information unless encryption measures are in place.
• Video conferences discussing sensitive information must only be conducted if encryption facilities are confirmed to be enabled.

When To Use Encryption

• Transmission: Confidential information transmitted over public computer networks, such as the Internet, must use encryption methods authorized by the IT Department.
• Storage: Confidential information stored on computers must also be protected using authorized encryption methods. Refer to the “Data Classification Quick Reference Table” for detailed guidelines on when and how to use encryption.

Key Selection

• Protection of Keys: Users must protect encryption keys or seeds from unauthorized disclosure, similar to how passwords are protected.
• Key Strength: The rules for selecting strong keys or seeds should follow the same guidelines as those for choosing strong passwords, ensuring robust security.

This policy mandates the use of encryption for protecting sensitive information and outlines the responsibilities for key management, thereby safeguarding data integrity and confidentiality.