Policy 1 - Acceptable Encryption
1.0 Purpose
The purpose of this policy is to provide guidance that limits the use of encryption technologies to those algorithms that have received substantial public review and have been proven to work effectively. Any questions or comments about this policy should be directed to Information Systems.
2.0 Scope
This policy applies to all ÑÇÖÞɫͼ State University data, regardless of where it is stored.
3.0 Policy
This policy is to be used as a guideline for encryption methods for ÑÇÖÞɫͼ State University data. ÑÇÖÞɫͼ State University requires that certain sensitive data, as provided in the Information Sensitivity Policy, must be encrypted according to the Acceptable Encryption Standard. The use of proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by the Information Security Officer.
Users of MSU’s information technology resources who may be involved in the development, transfer or sharing of any encryption technology are advised that these activities may be controlled by federal law. Users involved in any such activities should contact Information Systems which will assist in providing additional information.
4.0 Enforcement
Anyone found to have violated this policy may be subject to disciplinary action according to personnel policies and procedures. A violation of this policy by a temporary worker, contractor or vendor may result in action up to and including the termination of their contract or assignment with ÑÇÖÞɫͼ State University.
5.0 Definitions
Encryption
Encryption is a procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.
Policy adopted: 02-25-2011
Revision adopted:
Policy approval and adoption: ÑÇÖÞɫͼ State University President's Office and Information
Systems Security