User login

Close
 

Encryption Policy

Effective Date: December 1, 2007

Policy Statement

This policy defines the encryption guidelines and standards for Columbia University. 

Reason for the Policy

This policy provides guidelines to situations for encryption usage. It also provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.

Primary Guidance to Which This Policy Responds

This policy responds to the Data Classification Policy, which stipulates sensitive and confidential data are required to be encrypted. This policy also responds to all applicable federal and state statutes pertaining to protection of sensitive and confidential information that require encryption, including, but are not limited to Payment Card Industry Data Security Standard (PCI DSS). 

Responsible University Office & Officer

The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy.  The Chief Information Security Officer (CISO) is the responsible officer.

Revision History

This policy was established in December 2007.  

Policy was updated in November 2010 to replace DES with AES as examples of standard encryption algorithms because AES is the successor to DES; also updated the definitions section.

Who is Governed by This Policy

This policy applies to all individuals who access, use, or control University electronic information resources.  Those individuals covered include, but are not limited to faculty, staff, students, those working on behalf of the University, and individuals authorized by affiliated institutions and organizations. 

Who Should Know This Policy

Anyone who accesses, uses, or controls University electronic information resources should be familiar with this policy.

Exclusions & Special Situations

Existing systems and applications containing sensitive and confidential information which cannot use encryption because of technology limitation but have compensating controls may be granted special waiver.  However, these systems and applications must still be thoroughly risk assessed to ensure that major risks are addressed via compensating controls to protect the data in lieu of not using encryption.

See full policy at right