I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines requirements for the use of encryption technologies to protect FSU data and resources. Encryption is the process of encoding messages or information in order to protect data or communication and can be applied to data that is stored (at rest) or transmitted (in transit) over networks.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Full IT Glossary
III. Standard
FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.
University Units are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Controls supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework and Controls
Function | Category | Desired Outcome (Subcategory) |
Protect (PR) |
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | PR.DS-1: Data-at-rest is protected |
PR.DS-2: Data-in-transit is protected | ||
PR.DS-5: Protections against data leaks are implemented |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
For more information, see IT Roles and Responsibilities.
Data Classification
Data Custodians are responsible for classifying all data for which they are responsible according to the requirements of the 4-OP-H-25.01 Data Security Standard. The data classification determines the baseline security protections and controls that are appropriate and required to protect the confidentiality, integrity, and availability of data, including the minimum-security standards applicable for the encryption of all institutional data accessed, created, stored, processed, or transmitted.
Users must exercise caution to protect and secure FSU data, devices, and portable storage media.
Automatic Encryption
FSU approved Network/Cloud Shares (e.g. OneDrive, SharePoint) provide automatic encryption and secure storage when used. Users who choose not to use Network Shares are responsible for meeting all encryption requirements as defined by this Standard. For more information, see Guidelines for the use of personal cloud services (fsu.edu).
Key Management
To prevent data loss, key management processes must be in place and documented prior to encrypting data at rest. CUU and University Unit ISMs are responsible for ensuring that units and individuals processing, maintaining, storing, or transmitting encrypted High Risk or Moderate Risk data abide by a documented cryptographic key management plan in place that protects the creation, use, distribution, storage, and recovery of cryptographic keys. Effective key management is critical to prevent unauthorized disclosure and to ensure access to data when needed. If a key is lost, it is highly likely that the data on the device cannot be recovered, particularly if there are no other copies of the data available.
Cryptographic keys are a type of IT security information classified as High Risk data, and must themselves be encrypted while stored. Keys must be stored separately from encrypted data. Keys stored on physical medium (paper, CD, flash storage) must remain constantly locked in a secured location.
Encryption of Data at Rest
Encryption of data at rest means encrypting data when it is stored on a server or storage medium. There are two ways to encrypt data at rest.
- Full-disk Encryption, also known as whole-disk encryption, encrypts the entire device, disk partitions at once, or disk sectors in use at the time of encryption and additional sectors as data is generated. It provides good protection against data loss due to theft or other loss and requires less attention to how files are managed.
- File-Level Encryption encrypts individual files. There are two methods for file-level encryption:
- files are decrypted only when in use, typically the case with application-based encryption.
- files are not automatically re-encrypted when viewing or editing is complete, as it the case with standalone encryption utilities. The key to decrypt the file should be shared separately from the file via a different method of transmission. This is sometimes referred to as container-based encryption.
The appropriate encryption method must be selected based on the data classification and type of device. CUU and University Unit ISMs are responsible for ensuring secure configurations and meeting the following encryption requirements within their units:
Table 1. Encryption Requirements for Data at Rest
Device Type | DATA CLASSIFICATION | ||
High Risk Data | Moderate Risk Data | Low Risk Data | |
Devices in Data Centers or protected facilities | Required, Data stored on data center devices are also covered under the requirements of the 4-OP-H-25.08 IT Physical Security Standard. |
Unit's Discretion | |
Portable and Removable Storage Media | Required, Additional care must be given to security of portable media and is restricted to work-related purposes for backup or storage. |
Unit's Discretion | |
Laptops and other portable devices | Required | Required | Recommended |
Desktops | Required | Required | Unit's Discretion |
Personally Owned Devices | Storage of High Risk or Moderate Risk Data Not Permitted | Unit's Discretion | |
Database Storage | Required | Required | |
Data Backups and Archives | Required | Unit's Discretion |
Encryption of Data In Transit
Encryption of data in transit is required to reduce the risk of unencrypted data being intercepted or monitored as it is transmitted on trusted or untrusted networks. Unauthorized access could jeopardize the confidentiality of sensitive institutional data. CUU and University Unit ISMs are responsible for ensuring the following encryption requirements are met within the units they are responsible:
Table 2. Encryption Requirements for Data in Transit
Method | DATA CLASSIFICATION | ||
High Risk Data | Moderate Risk Data | Low Risk Data | |
Information sent via email | Required | Required | Unit's Discretion |
Data transmitted between devices within the FSU network | Required | Required | Unit's Discretion |
Information transmitted outside of the FSU network | Required | Required | Unit's Discretion |
Administration of hardware, software or applications performed over a network | Required | Required | Required |
The following are examples of commonly employed technologies that provide encryption of data in transit.
Virtual Private Network (VPN): Users traveling on university business or who need to access the FSU network and any High Risk or Moderate Risk University data from a non-university or public network must log into the FSU Virtual Private Network. It also permits access to applications or data that require an on-campus connection. For more information, see ITS Service Catalog - VPN.
Secure Web Traffic (HTTPS): HTTPS is a protocol that encrypts traffic between a web browser and a web-based application. Units shall use a university-provided certificate service. See the ITS Service Catalog for ITS Service Catalog - Enterprise SSL.
Transport Layer Security (TLS): TLS is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.