UTMB INFORMATION RESOURCES PRACTICE STANDARD Section 1 Subject 2 Security Management Data Transfers/Communications 02/28/2009 05/25/2012 -Effective -Revised

Practice Standard 1.2.9 Data Encryption Requirements

Information Security Officer-Author

Data Encryption Requirements

Introduction
Cryptography is the science of transforming data so that it is interpretable only by authorized persons. Data that is unencrypted is called plaintext. The process of disguising plaintext data is called encryption, and encrypted data is called ciphertext. The process of transforming ciphertext back to plaintext is called decryption. The Texas Administrative Code states that, "encryption techniques for storage and transmission of information shall be used based on documented security risk management decisions. The purpose of the Data Encryption Practice Standard is to set minimum encryption standards for the transmission of confidential data via the Internet, to establish rules for transmitting confidential data and to identify the roles and responsibilities of the End-User, Management and Information Services. The UTMB Data Encryption Practice Standard applies equally to all individuals who use any UTMB information resource. Confidential Digital Data includes social security numbers, Protected Health Information (PHI), Confidential Research Data, digital data associated with an individual and/or digital Data protected by law. Confidential digital data must be secured and protected while at rest on mobile computing/storage devices, i.e., portable hard drives, removable media, laptops, PDA or flash drive) and in transit (via the Internet or non-trusted network). All confidential data sent over a public network will be encrypted using a minimum of 128 bit encryption. Data transmissions within the confines of the UTMB network, to include external systems connected to UTMB via a Virtual Private Network (VPN) are considered secure, and do not require encryption Encryption methods must employ a key recovery so that data can be recovered in the event that an employee leaves UTMB or the employees key is lost or stolen.

Purpose

Audience Confidential Digital Data Management

Implications

Page 1 of 4

UTMB INFORMATION RESOURCES PRACTICE STANDARD Section 1 Subject 2 Security Management Data Transfers/Communications 02/28/2009 05/25/2012 -Effective -Revised

Practice Standard 1.2.9 Data Encryption Requirements

Information Security Officer-Author

Practice Standard

If information that is considered to be confidential, such as PHI, SSNs, credit card, or other data classified as confidential by the data owner, traverses an un-trusted public network, such as the Internet, then the data shall be encrypted with at least 128-bit encryption. Options for encrypting data in transit include: a) Secure Socket Layers (SSL) which use public key cryptography to encrypt Web application sessions between the users browser and the Web server. The Web server must have a certificate that has been generated by a Public Key Infrastructure (PKI). Users browsers come pre-configured to trust the certificates of these well-known CAs, and browser client side certificates are not required. b) Virtual Private Networks (VPN) use software and/or hardware to encrypt data between participating networks, or clients and networks. IP Security (IPSec) increasingly is becoming the standard for providing authentication and encryption between sites. IPSec authentication is based on the exchange of keys between communicating devices. c) Public Key Infrastructure (PKI) - A PKI (public key infrastructure) enables users of a basically unsecured public network ,such as the Internet, to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. d) E-Mail e-mail systems can support some types of encryption. Major mail clients can support encryption natively using Transport layer security (TLS) or S/MIME. e) Documents The Microsoft Office Suite and the Adobe Portable Document Format have native encryption features that support algorithms up to 128 bits. f) Encrypted removable media hardware encrypted removable media support features including remote wiping and management features, such as key/file recovery and single-use access keys.

Page 2 of 4

UTMB INFORMATION RESOURCES PRACTICE STANDARD Section 1 Subject 2 Security Management Data Transfers/Communications 02/28/2009 05/25/2012 -Effective -Revised

Practice Standard 1.2.9 Data Encryption Requirements

Information Security Officer-Author

Data Encryption Requirements, Continued

Practice Standard (Cont)
Options for encrypting data at rest include: a) Full disk encryption entire contents of disk is encrypted. b) OS or system specific drive/file encryption OS enabled security features provide drive/file encryptions, such as iPhone/iPad with security enabled Encryption keys shall be considered synonymous with UTMBs most sensitive category of information, and access to those keys must be restricted on a need-to-know basis. The keys to be used for encryption must be generated by means that are not easily reproducible by outside parties. If an encryption solution is not available for a particular Internet transport protocols, i.e., email, FTP, IM etc., then information that has been classified as confidential, must not be transmitted using those protocols End-Users Responsibilities a) Users must be familiar with data classification standards and encrypt data when appropriate b) When the data classification is unknown, users must check with the data owner. If data owner is unavailable or unknown, data must be encrypted when sent via the Internet c) Users must not circumvent enterprise encryption solutions d) Users must not post sensitive data to websites external to UTMB unless the website is known to be secure Management Responsibilities a) Department Managers will ensure that users are aware of UTMBs data classification scheme b) Department Managers will ensure that users are aware or UTMBs encryption requirements when sending sensitive data via the Internet When required, Department managers will ensure that users are equipped with the necessary encryption tools to facilitate secure data transmissions

Page 3 of 4

UTMB INFORMATION RESOURCES PRACTICE STANDARD Section 1 Subject 2 Security Management Data Transfers/Communications 02/28/2009 05/25/2012 -Effective -Revised

Practice Standard 1.2.9 Data Encryption Requirements

Information Security Officer-Author

Data Encryption Requirements, Continued

Practice Standards (Cont)
Information Services a) Information Services, using industry best practices, will implement, maintain and make available to the UTMB user community, encryption solutions for the following data transport mechanisms Email b) File Transport Protocol (FTP) c) Instant Messaging (IM) d) Institutional Collaboration Services e) Web Sites The Information Services Security Department will monitor Internet traffic for evidence of confidential data that has been transmitted in an insecure/unencrypted format. The Information Services Security Department will inform identified individuals of policy violations and will make educational awareness material available to curtail future incidents. The following features shall be required when purchasing encryption products: a) The vendor must be financially stable. b) The product shall employ features that enhance system integrity, such as self testing, to the maximum degree possible. Web servers using SSL, the certificate shall be purchased from a recognized Certificate Authority (CA) vendor. The Texas Department of Information Resources (DIR) has approved the following PKI service providers: a) b) c) d) Baltimore Technologies Digital Signature Trust Company Entrust, Inc VeriSign, Inc

Disciplinary Actions

Violation of this policy may result in disciplinary action which may include termination for employees; a termination of employment relations in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of UTMB IR access privileges, civil and/or criminal prosecution.

Page 4 of 4

UTMB INFORMATION RESOURCES PRACTICE STANDARD Section 1 Subject 2 Security Management Data Transfers/Communications 02/28/2009 05/25/2012 -Effective -Revised

Practice Standard 1.2.9 Data Encryption Requirements

Information Security Officer-Author

References

Texas Administrative Code, Chapter 202 The University of Texas System UTS-165 UTMB IR 2.19.6 - Acceptable Use of Information Resources UTMB IR 1.0.1 - IR Security Policy Approval Standards UTMB IR 1.0.2 - IR Security Management Practice Standards Approval Process

Page 5 of 4