Policy Statement:

Rockhurst University is committed to protecting the confidentiality, integrity, and availability of sensitive data. This Data Encryption Policy establishes guidelines for encrypting sensitive data in motion (during transmission) and at rest (when stored), following industry best practices.

Scope:

This policy applies to all Rockhurst University personnel, including employees, contractors, and third-party service providers who handle sensitive data in the course of their work.

Data Classification:

Sensitive data shall be classified based on its confidentiality and regulatory requirements. Examples of sensitive data include personally identifiable information (PII), financial data, healthcare information, research data, and any other data that, if compromised, could harm individuals or the university.

Encryption for Data in Motion:

  • Secure Communication Protocols:
    1. All sensitive data transmitted over networks, both internal and external, shall use secure communication protocols, such as HTTPS/TLS, to encrypt data during transmission.
    2. Applications, web services, and APIs that transmit sensitive data must use secure protocols and cryptographic algorithms approved by recognized standards organizations.
  • Secure Email Communication:
    1. Sensitive data sent via email must be encrypted using secure email encryption mechanisms or secure file transfer protocols.
    2. Sensitive attachments should be encrypted separately before sending them via email.

Encryption for Data at Rest:

  • Database Encryption:
    1. Sensitive data stored in databases shall be encrypted at the field level or database level, based on the data's classification and regulatory requirements.
    2. Encryption keys used for database encryption must be securely stored and managed, following best practices for key management.
  • File and Disk Encryption:
    1. Sensitive data stored on laptops, desktops, servers, and other devices shall be encrypted using full disk encryption (FDE) or file-level encryption, based on the data's classification and regulatory requirements.
    2. Encryption keys used for file and disk encryption must be securely stored and managed, following best practices for key management.
  • Cloud Storage Encryption:
    1. Sensitive data stored in cloud environments must be encrypted at rest using encryption mechanisms provided by the cloud service provider or through client-side encryption.
    2. The encryption keys used for cloud storage encryption must be securely managed and protected.

Encryption Key Management:

  • Key Generation and Storage:
    1. Encryption keys used for data encryption must be generated using strong cryptographic algorithms and securely stored.
    2. Keys shall be protected against unauthorized access, loss, or theft through appropriate access controls and encryption mechanisms.
  • Key Rotation and Retirement:
    1. Encryption keys shall be periodically rotated to minimize the risk associated with compromised or weakened keys.
    2. When encryption keys are retired, the data encrypted with those keys shall be securely re-encrypted or permanently deleted.

Compliance with Regulations:

Rockhurst University shall ensure that data encryption practices align with relevant security and privacy regulations, such as GDPR, FERPA, HIPAA, and PCI DSS. Encryption measures implemented must meet or exceed the encryption requirements outlined in these regulations.

Incident Response and Reporting:

In the event of a security incident or suspected data breach involving encrypted data, the university's incident response plan shall be followed. All incidents must be reported promptly to the appropriate authorities as required by applicable regulations.

Training and Awareness:

Rockhurst University shall provide regular training and awareness programs to educate personnel about data encryption best practices, the importance of encryption, and the proper handling of encrypted data.

Policy Review:

This Data Encryption Policy shall be reviewed periodically to ensure its effectiveness, alignment with industry best practices, and compliance with changing regulations. Updates to the policy may be made as necessary.

Policy Non-Compliance:

Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate.

By adhering to this Data Encryption Policy, Rockhurst University aims to safeguard sensitive data from unauthorized access, maintain compliance with regulations, and protect the confidentiality and integrity of information assets.