IT-10: Digital Encryption Policy

This policy outlines the encryption requirements for confidential data in compliance with state and federal statutes.

PURPOSE

Sam Houston State University (SHSU) is committed to compliance with state and federal statutes associated with the protection of confidential information.    Information technology resources that contain or transmit confidential information must be protected with the specified minimum requirements for encryption key standards and management.   

SCOPE

The SHSU Digital Encryption Policy applies equally to all individuals entrusted with any SHSU information technology resources. 

POLICY STATEMENT

1. Minimum encryption requirements to protect confidential information from unauthorized disclosure shall be limited to the following State of Texas encryption requirements:
   • Public information, information as described in the Texas Public Information Act or other enabling laws, rules, and regulations, has no minimum encryption requirements.
   • Confidential information, information that must be protected from unauthorized disclosure or public release based on state or federal law and personal identifying or sensitive personal information as defined in the Texas Business and Commerce Code, must be encrypted with a minimum of 128-bit key length.
   • Statutorily protected data, federal tax information, protected health information, and law enforcement information, is required to comply with NIST certified to FIPS 140-2 standards or the current standard.
2. Confidential information that is transmitted through or stored on an externally accessible location shall be encrypted from the time it leaves a secure location until it is received into a secure location.
3. Confidential information should not be copied to or stored on, removable media or a non-agency owned computing device that is not encrypted.
4. SHSU may also choose to implement these protections for data classifications other than Confidential.
5. Information resources assigned from one state agency to another, or from a state agency to a contractor or other third-party representative, shall be protected in accordance with the conditions imposed by the providing state agency.

REFERENCE

There are many individual laws, regulations, and policies that establish our information security requirements.   While it is not possible to list all potentially applicable laws and regulations, the most relevant are listed in the Texas State University System (TSUS) Rules and Regulations, Rule III Paragraph 19 and associated TSUS IT Policies.  

Version: 1.02
Approved By: President’s Cabinet, April 17, 2023 
Reviewed By: Heather Thielemann, Information Resources Manager, April, 2023 
Next Review: April, 2024