BP 8109 Encryption

Statement of Purpose

PCC’s Information Security Policies support the following goals:
1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
2. Ensure that PCC complies with all applicable laws and regulations.
3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
4. Ensure that users are protected from data breach and cybercrime.
5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
6. Prevent unauthorized disclosure of controlled sensitive data.
7. Prevent disruption of the learning experience.
8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
9. Ensure that IT systems are used for their intended purposes.
10. Establish processes for addressing policy violations and sanctions for violators.

Encryption is the best protection against a data breach. While it may not protect against some other types of cyber threats, it does ensure that any data stolen as the result of a breach is unusable by the recipient.

However, there are techniques to subvert encryption protection (e.g. “man in the middle” attacks), so a strong encryption policy is essential to ensure the robustness of the program.

Scope Statement

This policy applies to all controlled sensitive data for which PCC is the custodian and all PCC IT resources that store or transmit such data. Accountable and responsible individuals are the Information Security team and IT operational support personnel. For PCC systems supported and maintained by third parties, such parties are also subject to this policy.

Policy Summary

All Portland Community College (PCC) controlled sensitive data stored (at rest) or transmitted (in transit) shall be encrypted to current industry encryption standards.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

CERTIFICATES
1. Security certificates (“certs”) shall be used to confirm identity, secure communications between parties, and ensure integrity of transmissions.
2. Requests for certs that do not meet the requirements in this policy may be denied or subject to revocation.

KEYS
1. Cryptographic keys (“keys”) shall be generated, accessed, distributed, rotated, stored, and disposed of in a controlled and secured manner.
2. Documentation provided to customers who have a need to exchange keys with PCC shall include these policies & procedures.
3. Keys used to encrypt and decrypt data shall be protected from general access. Only custodians approved by the CIO shall be granted access to the key components and access audit trails shall be maintained.
4. All keys shall be changed regularly or when circumstances dictate a change to maintain encryption or key integrity.
a. Regular rotation: Keys shall be changed at least every two years.
b. Suspicious activity: This change is driven by any activity related to the key process that raises concern regarding the security of the existing key.
c. Resource change: Keys shall be changed or revoked if a resource with knowledge of the keys terminates employment or assumes a new job that no longer requires access to an encryption process.
d. Technical requirement: Keys shall be changed if the key in place has become questionable due to a technical issue, such as corruption, instability, or vulnerability.
5. Keys no longer in service shall be disposed of in accordance with the process outlined in the Data Retention and Disposal Policy.

EMAIL TRANSMISSION OF CONTROLLED SENSITIVE DATA
1. Controlled sensitive data shall never be sent unencrypted through email.
2. Employees with a valid business justification for emailing controlled sensitive data outside of PCC’s domain shall use sanctioned email encryption software.

ENCRYPTION OF WIRELESS NETWORKS
1. All wireless networks in use at PCC facilities shall be protected using current industry encryption standards (the encryption strength shall not be less than 128 bits).

DATA AT REST
1. Enterprise databases containing controlled sensitive data shall be encrypted using current industry encryption standards.
2. Sanctioned unstructured data stores (e.g. Google Drive) shall be encrypted protected using current industry encryption standards.
3. Disk encryption shall be enforced on PCC-issued mobile computing devices. Encryption keys for mobile computing devices shall not associated with user accounts and shall be stored securely on removable media with strong access controls.

Exemptions

None

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Security Officer (CISO)

Policy Violation

1. Violation of this policy may result in disciplinary action in accordance with PCC Human Resources and/or Student Conduct guidelines.
2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint Procedures

Report non-security-related violations (such as receipt of inappropriate content, other Human Resource policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, HR, or EthicPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing Standards, Policies & Guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

Chief Information Officer (CIO)
Senior manager of the Information Technology (IT) Department and a member of Cabinet.

At PCC, the CIO is responsible for all technology, with the exception of:
– Online Learning (Academic Affairs)
– Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
– Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)

Chief Information Security Officer (CISO)
Senior manager responsible for information security compliance at PCC.

Controlled Sensitive Data (CSD)
A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.

Cryptographic Key
A unique and secret piece of data that is required to encrypt and subsequently decrypt a specific piece of information.

A cryptographic key determines the correct output of a cryptographic algorithm. Most commonly used cryptographic systems use pairs of keys:
1. Public key, which may be disseminated widely. This is used to verify that a holder of the paired private key sent the message (authentication).
2. Private key, which is known only to the owner. Whereby only the holder of the paired private key can decrypt the message encrypted with the public key.

Cybercrime
Criminal activity or a crime that involves the Internet, a computer system, or computer technology.

Data Breach
Generally, an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so.

Note: Although “breach” is a commonly used term in the information security community, legally, the term “breach” tends to only be used when a security event reaches the threshold of regulatory reporting. PCC legal council recommends using the terms “incident” or “compromise” until it can be determined whether an event satisfies the legal definition of a breach.

Decryption
The process of converting data back to readable form (“plaintext”) from encrypted form, so it is usable.

Encryption
The process of converting data to an unrecognizable or “encrypted” form.

Encryption is commonly used to protect sensitive information so that only authorized parties can view it.

Hard Disk
A data storage device that uses magnetic storage to store and retrieve digital information using one or more rigid, rapidly rotating disks (platters) coated with magnetic material.

Hardware
The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)

IT Resource
(At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.

Network
(In IT) The technology that carries messages between one computer and another.

A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.

End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.

The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).

Security Certificate (Cert)
An encrypted code, provided by a trusted authority, that validates to another party that you are who you say you are.

Used to confirm identity, secure communications between parties and ensure the integrity of transmissions. For example, if a website has a valid certificate it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization and that communication with that website is encrypted.

Software
A set of instructions that tells a computer what to do.

Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.

System
(In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.

Third Party
(In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”

User
Any person who makes any use of any PCC IT resource from any location (whether authorized or not).

Responsible Executive

Chief Information Officer

Responsible Officer

Chief Information Security Officer (CISO)

Responsible Office

IT Information Security

Last Revision Date

09-18-2019