ISP-16 Encryption policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy outlines the University's approach to protecting data through encryption, ensuring that information classified as Confidential or above, is safeguarded during storage and transfer. It applies to all systems and individuals handling such data, mandating the use of industry-standard encryption methods. The policy highlights the importance of secure key management and compliance with legal requirements, including the potential decryption of data when travelling abroad.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Security Architect, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 05 March 2025 |
| Effective date | 05 March 2025 |
| Interim review effective date | 30 July 2025 |
| Full review period | 1 year |
| Date of next full review | 31 December 2025 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Not applicable |
| Applicable statutory, legal or best practice requirements |
|
| Keywords | access control, Advanced Encryption Standard (AES), compliance, confidential data, confidentiality, data at rest, data protection, decryption, encryption, encryption keys, IT services, key management, legal obligations, public authorities, regulatory compliance, security, Transport Layer Security (TLS), travel & decryption, university systems |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This Encryption policy is a sub-policy of the ISP-01 Information security policy and sets out the principles and expectations of how and when information should be encrypted.
3. Scope
3.1. This policy applies to all systems, including personal computing devices, cloud systems, servers, and networks, that contain University-owned information classified as Confidential or above. It covers anyone involved in processing such information, including staff, students, and other users of University systems.
4. Definitions
4.1. Encryption: A mathematical function using a secret value - the key - which encodes (scrambles) data so that only users with access to that key can read the information. In many cases, encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of data.
4.2. A member of the University: This is defined in University Constitution: Ordinance 9, Section 7.
4.3. AES (Advanced Encryption Standard): A widely used encryption method for securing data at rest.
4.4. Confidential data: A classification of information that requires protection due to its sensitive nature, as defined by the University's Information Classification Scheme.
4.5. Data at rest: Data stored on physical devices or cloud systems that is not actively being transferred or used.
4.6. Data in transit: Data that is being transferred between devices or systems.
4.7. Decryption: The process of converting encrypted data back into its original, readable form using a key.
4.8. Transport Layer Security (TLS): A cryptographic protocol used to secure data in transit across networks, ensuring it cannot be intercepted or read.
5. Responsibilities
5.1. University Members: Must ensure they understand and comply with information security policies and encrypt any University data classified as Confidential or above during storage and transfer. They must ensure encryption keys are managed securely. Members must also follow the University's guidance on travelling abroad and avoid travelling with Confidential data.
5.2. External Partners and Contractors: Any third parties who handle University information classified as Confidential or above must comply with the University's security policies and contractual arrangements, including secure data exchanges and information handling during their engagement.
5.3. IT Services: Are responsible for encrypting University systems, managing encryption keys, and providing guidance on secure encryption practices.
5.4. Supervisors and Line Managers: Have a responsibility to ensure that encryption practices are implemented within their teams. They are also responsible for ensuring their team understand the information security policies and undergo mandatory Information Security training.
6. When to use encryption
6.1. Encryption is a critical method of safeguarding data across various data storage and transfer activities. This includes, but is not limited to, the short term or long-term storage of data (for example data locally stored on a device, portable drives, cloud backups, databases and file servers) and the transfer of data between systems (for example through email, web and file sharing solutions and instant messaging).
6.2. When handling data classified as Confidential or above in the University's Information classification scheme, either during storage or transfer, encryption must always be used to prevent unwanted access to the data.
6.3. In most cases, encryption keys will be in the form of a password or passphrase.
6.4. Losing or forgetting the encryption key will render encrypted information unusable so it is critical that encryption keys are effectively managed. When encrypting files, individuals are responsible for the management and secure storage of encryption keys.
6.5. It is important to note the means of decrypting files (encryption keys, passwords etc.) should never be stored or transmitted alongside the encrypted files themselves and only shared on a need-to-know basis with authorised parties.
6.6. If the encryption key or password needs to be shared, this should be shared through a different media than that of the encrypted data sharing. Suitable options could be: in person, SMS or over a voice call. As an example, where an encrypted file is sent via email, the password should be sent via SMS (text message) or verbally by phone.
7. Encryption methods
7.1. When encrypting data, it must be encrypted using industry recognised standards, such as Advanced Encryption Service (AES) for data at rest, and Transport Layer Security (TLS) for data in transit.
7.2. From time to time, security flaws can be found in encryption methods which can result in them being deprecated and removed as an industry standard. Care should be taken to ensure any encryption used does not contain deprecated standards (examples of this are SHA1, TLS1.1, SSL).
8. Encryption of data at rest
8.1. Data can be considered at rest when it is held physically in computer storage (on cloud storage, file hosting services, databases, spreadsheets and as files stored on computing devices). When at rest, data classified as Confidential or above must always be encrypted to prevent unwanted access.
8.2. All end-user devices (laptops, mobile phones and portable drives) containing or accessing University owned data of any classification must be encrypted.
8.3. University owned devices will be encrypted as part of the deployment process with encryption keys managed by IT Services. In cases where data classified as Confidential or above is handled on a non-University owned device or system (including laptops, USB drives, mobile devices and third party cloud storage solutions), the owner of the device, or user of the system, must take responsibility for ensuring the encryption of the data. This includes the secure storage of passwords and keys for accessing and decrypting the data.
9. Encryption of data in transit
9.1. When transferring data classified as Confidential or above from one device or system to another (such as across the internet or over wired or wireless connections), data must be encrypted.
9.2. Encryption during transfer must either be through the conversion of data into an encrypted format (for example through file encryption) or through the use of a secure communication method which is able to provide assurance that the content cannot be understood if intercepted (such as using Transport Layer Security or TLS for short).
9.3. Where University data is accessed but not stored (such as using a web browser to access websites containing University data), these services must be protected using encryption such as TLS.
9.4. For information classified below confidential (Public and Open), encryption is still recommended and is best practice for maintaining data integrity.
9.5. For additional guidance on encryption standards and when to use encryption, contact IT Services.
10. UK law and travelling abroad
10.1. Upon leaving or entering the UK, you may be required by UK authorities to decrypt any devices or files you have stored on devices in your possession. Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes a provision whereby certain "public authorities" (including, but not limited to, law enforcement agencies) can require the decryption of devices or files. Failure to comply with such a lawful request is a criminal offence in the UK.
10.2. Similarly, government agencies operating outside of the UK may require you to decrypt your devices or files upon entry to or exit from their territories. If you travel abroad with encrypted data classified as Confidential or above, there is a risk that the data may require decryption and therefore a risk of disclosure. It is advised that you consider the consequences of such disclosure and wherever possible information classified as Confidential or above should not be taken with you while travelling.
10.3. For access to information classified as Confidential or above abroad, it is recommended the data remains stored on University systems, with access to the data provided by means of a secure and encrypted remote connection.
10.4. For further information on device encryption and processing personal data when traveling abroad see IT Services guidance page: Keep safe when you travel (sharepoint.com - staff and student access only).
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.