The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this compliance standard is to establish guidelines for the use of encryption to secure University information in transit on a network or stored on any form of media.

2. Definitions

   Encryption: Encrypting or scrambling data to assure confidentiality and integrity.

   In Transit: Data being moved from one location to another.

   At Rest: Data stored in a location

   ITS is the acronym for the official name of Information Technology Services.

   Escrowing: Storing and managing key and/or certificates in a system to protect against lost or stolen keys or certificates.

   Proven Standardized Algorithms are ciphers or methods of encryption that are either selected as official methods for the Federal Information Processing Standard or methods that have experienced intense scrutiny and have widespread use.

   User includes anyone who accesses and uses the Old Dominion University information technology resources.

3. Standards Statement

   1. Encryption Usage

      Only industry standard algorithms and methods will be used as the basis for encryption technology. Accepted methods are available from ITS upon request.

      Public and private key sizes and algorithms must meet the current best practices for industry standard encryption. Hashing algorithms for digital signatures or password obfuscation with weaknesses such as MD5 and SHA1 should not be used.

      IT Security will follow a documented response procedure for when keys are compromised.

      ODU must have a secure key management process for the administration and distribution of encryption keys.

      ODU must generate all encryption keys through an approved encryption package and securely store the keys in the event of key loss due to unexpected circumstances.

      Encryption must be used during transmission of sensitive data commensurate with sensitivity and risk.

      Encryption should be used for all transmission of data when possible.

   2. Key and Certificate Management

      1. In Transit Encryption

         1. Keys and Certificates for in transit Encryption should be protected from incidental release and not transmitted through insecure methods.

         2. These keys must be changed if they are compromised.

      2. At Rest Encryption

         1. Escrowing keys and certificates are essential for disaster recovery and business continuity. Keys and certificates for critical business services must be escrowed with ITS Security. This includes any keys used by systems or users to protect documents or data.

      3. Personal Encryption

         1. Keys used as personal credentials must be escrowed by the user.

         2. Keys used for personal at rest encryption must be escrowed by ITS Security or through an approved system.

   3. Encryption Outside of the United States

      Users must comply with Federal law regarding the development and use of encryption outside of the United States.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 3500 - Use of Computing Resources

   University Policy 3504 - Data Classification

   University Policy 3505 - Information Technology Security

5. History

   Date	Responsible Party	Action
   October 2008	ITAC/CIO	Created
   October 2010	ITAC/CIO	Reaffirmed
   October 2011	ITAC/CIO	Reaffirmed
   March 2014	IT Policy Office	Minor rewording for clarity Number revision and departmental name change
   May 2018	IT Policy Office	Reviewed; definitions and links updated
   January 2022	IT Policy Office	Reviewed and updated links; minor wording changes