1.0 TITLE: Portable Electronic Device / Media Encryption Policy
1.1 EFFECTIVE DATE: 21 October 2010
1.2 TYPE OF ACTION: New Pollicy
1.3 KEY WORDS: Encryption, data at rest
2.0 PURPOSE: To define policy as related to the encryption of data while at rest on portable media or devices.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions, and Agencies of state government, hereafter referred to as entities.
4.1 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (February 2004).
4.2 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules
4.3 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS) Publication 46-3, Data Encryption Standards.
4.4 Kansas Information Technology Executive Council (ITEC) Policy 7230 - Default Information Technology Security Requirements (January 2010).
5.1 Sensitive or confidential data is data classified by legislation, state policy, agency policy or FIPS-199 to be regarded as having a serious adverse affect on organizational assets, organizational operations or individuals. Disclosure of this data shall be considered sensitive if its unauthorized release would require notification of the public.
5.2 Secure environment/infrastructure is a location in a facility, an area, a room, a group of rooms, or a vehicle that is/are subject to agency management control/security measures and which contain hardware, software, and/or firmware (e.g., information system servers, controlled interface equipment, associated peripherals or communications equipment, wire closets, patch panels, etc.) that provide access to sensitive data.
5.3 Portable electronic devices and portable electronic media are any electronic devices or media designed for easy transport outside of a secure environment/infrastructure. Examples of these devices include but are not limited to: PDA’s, laptops, USB flash media, SD cards, digital cameras, MP3 players, diskettes, CD, DVD, external hard drives, etc
5.4 Data at rest is defined as computer files that are used as reference, but are not often updated, if at all. They may reside on servers, in backup storage or on the user's own hard disk
6.1 Data deemed sensitive or confidential to an agency, per their policy or pursuant to any state or federal statute(s) or regulation(s), will be encrypted while at rest on portable electronic media/devices. Data sensitivity or confidentiality determinations must be approved in writing per data classification policy procedures. Encryption modules and algorithms to be used shall be NIST-certified, and found on the FIPS 140-2 validation list. The algorithm employed shall be at least as secure as 3DES with a minimum 128 bit Key (KO1 or KO2) as defined in FIPS PUB 46-3.
6.2 Portable electronic devices and media deemed non-sensitive or non-confidential in nature or not intended to be removed fror a secure environment shall be clearly and visibly marked as unencrypted in such a way that the markings cannot be easily removed or altered.
6.3 Approvals for non-encrypted portable electronic devices and media must be in writing from a senior level individual with the controlling agency.
6.4 Measures shall be taken to ensure sensitive data is not stored, temporarily moved to, or transported on non-encrypted media or devices.
6.5 Agencies shall take measures to ensure that data can be retrieved in the event of accidental or malicious loss, destruction or changing of the secret key.
6.6 Agencies shall change any manufacturers default passwords before deployment into a production environment.
6.7 Physically secure facilities and restricted/controlled areas shall be prominently posted and separated from non-sensitive facilities and non-restricted/controlled areas by physical barriers that restrict unauthorized access.
6.8 All physical access points to sensitive facilities or restricted areas housing information systems that can access, process, or display sensitive data shall be controlled/secured.
6.9 The manner in which access is controlled must be acceptable to the entity’s CSO during both working and non-working hours. Physical security perimeters shall be defined by the entity’s CSO.
7.1 Procedures should be developed to train employees and support staff on the proper use, access and any special needs relative to the solution chosen by the agency.
8.1 Heads of entities are responsible for establishing procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Informastion Security Officer is responsible for the maintenance of this policy.
9.0 CANCELLATION: None