Policy 1 - Acceptable Encryption

1.0 Purpose

The purpose of this policy is to provide guidance that limits the use of encryption technologies to those algorithms that have received substantial public review and have been proven to work effectively. Any questions or comments about this policy should be directed to Information Systems.

2.0 Scope

This policy applies to all Murray State University data, regardless of where it is stored.

3.0 Policy

This policy is to be used as a guideline for encryption methods for Murray State University data. Murray State University requires that certain sensitive data, as provided in the Information Sensitivity Policy, must be encrypted according to the Acceptable Encryption Standard. The use of proprietary encryption algorithms is not allowed for any purpose unless reviewed by qualified experts outside of the vendor in question and approved by the Information Security Officer.

Users of MSU’s information technology resources who may be involved in the development, transfer, or sharing of any encryption technology are advised that these activities may be controlled by federal law. Users involved in any such activities should contact Information Systems which will assist in providing additional information.

4.0 Enforcement

Anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in action up to and including the termination of their contract or assignment with Murray State University.

5.0 Definitions

Encryption

Encryption is a procedure used to convert data from its original form to a format that is unreadable and/or unusable to anyone without the tools/information needed to reverse the encryption process.