Standard Statement:
This standard outlines the encryption requirements for information storage devices and data transmissions within our organization. The standard addresses specific requirements for portable devices, removable media, encryption key standards, and management based on documented risk management decisions. It mandates the encryption of confidential information transmitted over public networks and stored in publicly accessible locations and on various devices. The minimum encryption algorithm strength is set at 128 bits, subject to state organization risk management decisions.
1. Encryption for Data Transmissions:
1.1. Confidential Information over Public Networks: Confidential information that is transmitted over a public network (e.g., the Internet) must be encrypted using secure encryption protocols and algorithms.
1.2. Confidential Information in Public Locations: Confidential information stored in a public location that is directly accessible without compensating controls (e.g., FTP without access control) must be encrypted before storage.
2. Encryption for Information Storage Devices:
2.1. Portable Devices: Confidential information must be encrypted if copied to or stored on portable computing devices, including but not limited to laptops, smartphones, and tablets.
2.2. Removable Media: Confidential information must be encrypted if copied to or stored on removable media such as USB drives, external hard drives, or DVDs.
2.3. Non-State Organization Owned Devices: Confidential information must be encrypted if copied to or stored on non-state organization-owned computing devices used for business purposes.
3. Encryption Algorithm Strength:
3.1. The minimum encryption algorithm strength for protecting confidential information is a 128-bit encryption algorithm.
3.2. Exceptions to the minimum algorithm strength may be considered based on documented state organization risk management decisions, which must be justified and documented in accordance with relevant regulatory requirements, including 1 Texas Administrative Code § 202.21(c) and § 202.71(c) and 1 Texas Administrative Code § 202.25 and § 202.75.
4. Encryption Key Standards and Management:
4.1. Encryption keys used for data encryption must meet industry-recognized standards for key length, entropy, and randomness.
4.2. Key management practices must be implemented, including secure key generation, storage, rotation, and recovery procedures.
4.3. Access to encryption keys must be strictly controlled and monitored, with authorized personnel designated for key management responsibilities.
5. Compliance and Documentation:
5.1. All personnel must adhere to this encryption policy and related procedures.
5.2. Compliance with this policy will be regularly audited to ensure that encryption standards are met and maintained.
5.3. Documentation of risk management decisions, exceptions to encryption standards, and related justifications must be maintained in accordance with applicable regulations.
Policy Review:
This policy shall be reviewed annually or as necessary to align with changes in regulatory requirements, technology, and organizational risk management decisions. This review will be completed by the IT Security Director or designated appointee.
Procedures for Encryption Implementation
1. Data Transmissions Encryption Procedure:
1.1. All confidential information transmitted over public networks must use secure encryption protocols and algorithms.
1.2. Implement access controls and encryption for confidential information stored in publicly accessible locations.
2. Information Storage Encryption Procedure:
2.1. Encrypt confidential information on portable devices, removable media, and personal computing devices with organizational data.
2.2. Ensure that encryption is applied before data is copied to or stored on these devices.
3. Encryption Algorithm Strength Exception Procedure:
3.1. Requests for exceptions to the 128-bit encryption algorithm strength must be submitted to the designated authority.
3.2. Justify and document exceptions based on documented state organization risk management decisions and in accordance with applicable regulations.
4. Encryption Key Standards and Management Procedure:
4.1. Implement secure key generation, storage, rotation, and recovery procedures in line with industry standards.
4.2. Control and monitor access to encryption keys, designating authorized personnel for key management responsibilities.
5. Compliance and Documentation Procedure:
5.1. Conduct regular audits to ensure compliance with encryption policy and related procedures.
5.2. Maintain documentation of risk management decisions, exceptions, and justifications as required by applicable regulations.
6. Training and Awareness Procedure:
6.1. Provide training and awareness programs for all personnel involved in handling confidential information and encryption processes.
6.2. Ensure that personnel understand the importance of encryption, encryption procedures, and their responsibilities regarding encryption.
7. Incident Response Procedure:
7.1. Develop an incident response plan that includes procedures for identifying and addressing security incidents related to encryption, such as key compromise or data breaches.
7.2. The incident response plan should specify how to handle and recover from encryption-related incidents promptly.