Summary of University Encryption & Cryptographic Controls
As set out in the Electronic Information Security Policy, protecting the privacy, business operation and integrity of the University’s computer network is of paramount importance.
This summary document sets out how the University applies encryption and cryptographic control technologies - ensuring that data is protected however and wherever it is processed, stored or communicated and that the University’s ICT computer network and devices are appropriately secured from unauthorised access.
Encryption is particularly applied to how ‘Private’ and ‘Confidential’ data/information must be managed to ensure that it is accessed only by authorised individuals, for its stated and legitimate purpose.
Public Presentation: PUBLIC
Communications
This public document is supportive to the Electronic Information Security Policy.
Scope
The General Data Protection Regulation (GDPR) and The Data Protection Act 2018 require the University to implement appropriate technical and organisational measures to ensure that personal data is processed securely.
Article 32 of the GDPR includes encryption as an example of an appropriate technical measure. And consequently encryption is a widely applied approach to ensure that appropriate controls are used in the protection of information, and of University services.
This document applies to the use and configuration of encryption applied to University ICT systems, computing devices, communication technologies and services - including all employees, governors, contractors, volunteers, vendors, apprenticeships, student/work experience placements and partner agencies who have access to these systems, equipment and devices.
Encryption works by converting data to make it unreadable and inaccessible to unauthorised individuals. The only way to read the encrypted data is by using a decryption key. The University uses encryption to:
- Secure information and data while stored, processed and handled
- Protect user credentials (passwords/logons),
- Enable secure communications and connections
- Enable verification, authentication, identification and validation.
- Secure ad-hoc internet/networked connections between ICT systems and devices.
Encryption for University Devices
Data is best protected by storing it within the University’s case management systems, network and cloud storage facilities. Further information is set out at the following (Link to Storage Help )
Desktops and laptop computers are the most widely used computing devices across the University. Despite the University’s advice and guidance there continues to be situations where data is stored on PCs and Laptops whether knowingly or unwittingly by users.
The portable nature of laptops increases the risk of theft and/or loss but more importantly, the loss or disclosure of data itself.
The most effective and appropriate way of addressing these additional risks is by protecting these devices with password entry, and encryption using the following methods:
- Operating system images installed on desktop and laptop computers are configured with a minimum of AES 128 bit (Advanced Encryption Standard) using symmetric-key encryption with a 128 bit key.
- Encryption employed on desktop and laptop computers allows for a random cryptographic key to be generated and for the relevant key to be stored in the University’s Active Directory (AD).
- During the build process for desktops and laptops, processes are in place to check the make and model of windows based computers to verify they have a Trusted Platform Module (TPM) chip on board.
- During the build process for Apple devices, processes are in place to check the make and model of the devices to verify they have a viable, current instance of FileVault operating.
- The build process therefore enables the TPM / FileVault functions and start the encryption process accordingly:
- A random key is generated by the TPM chip / controls in secure enclave
- Cryptographic keys are written back to Active Directory.
- If the University’s computer network becomes unavailable (preventing keys being stored in AD) remediation techniques are in place to ensure that these computers are identified with a method to initiate the storing of cryptographic keys for these computers in AD.
- All desktop and laptop computers are updated with the latest security and OS patches
- All desktops and laptop images ensure the continued encryption of hard drives including timely cryptographic key recovery methods as required.
Encryption for non University devices
Where the device (PC/Mobile/Tablet, irrespective of manufacturer or operating system ) you use to access University information belongs to you, or is something bought by the University but that does not have the standard access management and encryption controls its integrity is always in question.
Consequently, when being used to attempt to access University services and data, the (every) device’s integrity is automatically assessed (including checking the facilities for, and status of encryption, and how the device stores local data).
Where the University cannot ensure the security of the device, the request to log-in using that device is rejected.
Encryption – for Mobile Devices and Portable Storage Media
Increasingly, mobile phones are being used by University staff and students. This increases the likelihood of data exposure and despite the policy and guidance that no data should be stored on these devices, it is inevitable that unforeseen events and actions may cause some Private or Confidential types data to be stored on these devices. The University has taken the following measures in order to address this:
Encryption for Mobile Devices
All University provided mobile phones are configured using Intune Mobile Device Management (MDM) which enforces the use of a pin code lock.
University managed mobile Apps which are authorised for use and which may process or handle personally identifiable data use encryption to protect data.
University authorised Apps use secure encrypted communication protocols such as HTTPS/TLS1.2 (or higher) when communicating over the internet or any other network connection.
Encryption for Portable Storage Media
Although there is almost no situation where portable storage should be required, the University can provide encrypted USB data sticks. These storage devices are for the temporary storage of Public and Private data only. These must not to be used for Confidential, or Unauthorised data.
- The University allows the use of University issued USB data sticks (and similar storage devices) under the following conditions:
- Users must set a password for accessing the device.
- The password for encrypted, portable devices must be in accordance with the University’s password complexity rules.
- Using the portable device on any other computer after being encrypted will require a password in order to access it.
- University data stored on encrypted USB sticks (or similar storage devices) must be transferred to an appropriate, secure area on the University’s computer network as soon as possible - University data should NOT remain on the data stick.
Other portable USB devices include mobile phones, cameras etc. These other devices should not be used to store Private, confidential or Unauthorised data on the device. Data collected as part of their use should be transferred to the appropriate system at the earliest opportunity.
Personal storage media and equipment must NOT be connected to the University’s network and must NOT be used to store University data.
If clarification is needed as to the recommended USB data storage devices allowed for use, please contact the Support and Information Zone (SIZ)
Encryption for Internet
Increasingly, Internet websites have adopted the secure, encrypted connection protocol HTTPS (Hyper Text Transfer Protocol Secure) in combination with Transport Layer Security (TLS) as default.
The main search engines such as Google, Bing etc., now use an encrypted connection as standard, however, not all sites have a secure connection as yet. This is something to bear in mind when using the internet for University business.
The University’s public facing websites www.chi.ac.uk and www.help.chi.ac.uk use HTTPS – helping to maximise protection, (including of ‘Public’ services), by encrypting connections which in turn, helps to protect passwords and data while travelling across the internet.
Encryption for Email
All University internal emails are encrypted i.e. name@chi.ac.uk to name@chi.ac.uk as they are preserved within the secure email environment. Emails sent from the University to external recipients do not ordinarily remain encrypted. The University provides other methods to send secure, encrypted email to external recipients. See link to email encryption help page
Cryptographic keys
Cryptographic keys are required to access data and systems which utilise encryption. The University takes the following approach in the management of these keys:
- Access to cryptographic keys in Active Directory are restricted to authorised staff only, this is currently limited to nominated staff in the ICT Service Development and IT Operations teams, using one-time-passwords, and active supervision.
- Procedures are in place to ensure that requests for cryptographic keys can be appropriately authorised, provided in a timely manner and appropriately recorded.
- If a cryptographic key is provided for recovering access to a computer, the existing key is revoked, and a new key us generated to prevent data leakage.
- Cryptographic keys are securely managed and protected though their whole lifecycle from initial generation and storage to archiving, retrieving, distributing, retiring and eventual destruction.
- Cryptographic algorithms, key lengths and use is in accordance with all relevant University policies, procedures and in accordance with professional best practices.
- Cryptographic keys are protected though their whole lifecycle against modification, loss, unauthorised access/use or disclosure.
- Equipment used to generate, store and archive keys is physically protected.
- Awareness of encryption/decryption passwords for devices, media or systems is limited to authorised personnel only.
- In the event of a cryptographic key being compromised, the existing key is revoked and a new key (or key pair) generated.
Document Owner: Director of Information and Learning Technologies
Most Recent Review Date: 18 Aug 2023
This document was been prepared using the following ISO27001:2022 standard controls as reference:
A.5.10 - Handling of assets
A.5.12 - Classification of information
A.5.13 - Labelling of information
A.5.14 - Agreements on information transfer
A.5.14 - Information transfer policies and procedures
A.5.14 - Electronic messaging
A.5.20 - Addressing security within supplier agreements
A.5.31 - Regulation of cryptographic controls
A.7.10 - Management of removable media
A.7.10 - Disposal of media
A.7.10 - Physical media transfer
A.8.1 - Mobile device document
A.8.20 - Network controls
A.8.24 - Document on the use of cryptographic controls
A.8.24 - Key management