Effective Date: December 1, 2007
This policy defines the encryption guidelines and standards for Columbia University.
Reason for the Policy
This policy provides guidelines to situations for encryption usage. It also provides guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively.
Primary Guidance to Which This Policy Responds
This policy responds to the Data Classification Policy, which stipulates sensitive and confidential data are required to be encrypted. This policy also responds to all applicable federal and state statutes pertaining to protection of sensitive and confidential information that require encryption, including, but are not limited to Payment Card Industry Data Security Standard (PCI DSS).
Responsible University Office & Officer
The office of Columbia University Information Technology Security is responsible for the maintenance of this policy, and for responding to questions regarding this policy. The Chief Information Security Officer (CISO) is the responsible officer.
This policy was established in December 2007.
Policy was updated in November 2010 to replace DES with AES as examples of standard encryption algorithms because AES is the successor to DES; also updated the definitions section.
Who is Governed by This Policy
This policy applies to all individuals who access, use, or control University electronic information resources. Those individuals covered include, but are not limited to faculty, staff, students, those working on behalf of the University, and individuals authorized by affiliated institutions and organizations.
Who Should Know This Policy
Anyone who accesses, uses, or controls University electronic information resources should be familiar with this policy.
Exclusions & Special Situations
Existing systems and applications containing sensitive and confidential information which cannot use encryption because of technology limitation but have compensating controls may be granted special waiver. However, these systems and applications must still be thoroughly risk assessed to ensure that major risks are addressed via compensating controls to protect the data in lieu of not using encryption.
See full policy at right