UTMB INFORMATION RESOURCES PRACTICE STANDARD
Section 1
Subject 2
Security Management
Data Transfers/Communications
Practice Standard 1.2.9 Data Encryption Requirements
02/28/2009
05/25/2012
-Effective
-Revised
Information Security Officer-Author
Data Encryption Requirements
Introduction
Cryptography is the science of transforming data so that it is
interpretable only by authorized persons. Data that is unencrypted is
called plaintext. The process of disguising plaintext data is called
encryption, and encrypted data is called ciphertext. The process of
transforming ciphertext back to plaintext is called decryption. The
Texas Administrative Code states that, "encryption techniques for
storage and transmission of information shall be used based on
documented security risk management decisions.”
Purpose
The purpose of the Data Encryption Practice Standard is to set
minimum encryption standards for the transmission of confidential
data via the Internet, to establish rules for transmitting confidential
data and to identify the roles and responsibilities of the End-User,
Management and Information Services.
Audience
The UTMB Data Encryption Practice Standard applies equally to all
individuals who use any UTMB information resource.
Confidential
Digital Data
Management
Confidential Digital Data includes social security numbers, Protected
Health Information (PHI), Confidential Research Data, digital data
associated with an individual and/or digital Data protected by law.
Confidential digital data must be secured and protected while at rest
on mobile computing/storage devices, i.e., portable hard drives,
removable media, laptops, PDA or flash drive) and in transit (via the
Internet or non-trusted network).
Implications

All confidential data sent over a public network will be encrypted
using a minimum of 128 bit encryption. Data transmissions within
the confines of the UTMB network, to include external systems
connected to UTMB via a Virtual Private Network (VPN) are
considered secure, and do not require encryption

Encryption methods must employ a key recovery so that data can
be recovered in the event that an employee leaves UTMB or the
employee’s key is lost or stolen.
Page 1 of 4
UTMB INFORMATION RESOURCES PRACTICE STANDARD
Section 1
Subject 2
Security Management
Data Transfers/Communications
Practice Standard 1.2.9 Data Encryption Requirements
Practice
Standard
02/28/2009
05/25/2012
-Effective
-Revised
Information Security Officer-Author

If information that is considered to be confidential, such as PHI,
SSN’s, credit card, or other data classified as confidential by the
data owner, traverses an un-trusted public network, such as the
Internet, then the data shall be encrypted with at least 128-bit
encryption.

Options for encrypting data in transit include:
a) Secure Socket Layers (SSL) – which use public key
cryptography to encrypt Web application sessions between the
user’s browser and the Web server. The Web server must have
a certificate that has been generated by a Public Key
Infrastructure (PKI). Users’ browsers come pre-configured to
“trust” the certificates of these well-known CAs, and browser
client side certificates are not required.
b) Virtual Private Networks (VPN) –use software and/or
hardware to encrypt data between participating networks, or
clients and networks. IP Security (IPSec) increasingly is
becoming the standard for providing authentication and
encryption between sites. IPSec authentication is based on the
exchange of keys between communicating devices.
c) Public Key Infrastructure (PKI) - A PKI (public key
infrastructure) enables users of a basically unsecured public
network ,such as the Internet, to securely and privately
exchange data through the use of a public and a private
cryptographic key pair that is obtained and shared through a
trusted authority.
d) E-Mail – e-mail systems can support some types of
encryption. Major mail clients can support encryption natively
using Transport layer security (TLS) or S/MIME.
e) Documents – The Microsoft Office Suite and the Adobe
Portable Document Format have native encryption features
that support algorithms up to 128 bits.
f) Encrypted removable media – hardware encrypted removable
media support features including remote wiping and
management features, such as key/file recovery and single-use
access keys.
Page 2 of 4
UTMB INFORMATION RESOURCES PRACTICE STANDARD
Section 1
Subject 2
Security Management
Data Transfers/Communications
Practice Standard 1.2.9 Data Encryption Requirements
02/28/2009
05/25/2012
-Effective
-Revised
Information Security Officer-Author
Data Encryption Requirements, Continued
Practice
Standard (Cont)

Options for encrypting data at rest include:
a) Full disk encryption – entire contents of disk is encrypted.
b) OS or system specific drive/file encryption – OS enabled
security features provide drive/file encryptions, such as
iPhone/iPad with security enabled
 Encryption keys shall be considered synonymous with UTMB’s
most sensitive category of information, and access to those keys
must be restricted on a “need-to-know” basis. The keys to be used
for encryption must be generated by means that are not easily
reproducible by outside parties.
 If an encryption solution is not available for a particular Internet
transport protocols, i.e., email, FTP, IM etc., then information that
has been classified as confidential, must not be transmitted using
those protocols
End-Users Responsibilities
a) Users must be familiar with data classification standards and
encrypt data when appropriate
b) When the data classification is unknown, users must check
with the data owner. If data owner is unavailable or unknown,
data must be encrypted when sent via the Internet
c) Users must not circumvent enterprise encryption solutions
d) Users must not post sensitive data to websites external to
UTMB unless the website is known to be secure
Management Responsibilities
a) Department Managers will ensure that users are aware of
UTMB’s data classification scheme
b) Department Managers will ensure that users are aware or
UTMB’s encryption requirements when sending sensitive data
via the Internet When required, Department managers will
ensure that users are equipped with the necessary encryption
tools to facilitate secure data transmissions
Page 3 of 4
UTMB INFORMATION RESOURCES PRACTICE STANDARD
Section 1
Subject 2
Security Management
Data Transfers/Communications
Practice Standard 1.2.9 Data Encryption Requirements
02/28/2009
05/25/2012
-Effective
-Revised
Information Security Officer-Author
Data Encryption Requirements, Continued
Practice
Standards (Cont)
Information Services




a) Information Services, using industry best practices, will
implement, maintain and make available to the UTMB user
community, encryption solutions for the following data
transport mechanisms Email
b) File Transport Protocol (FTP)
c) Instant Messaging (IM)
d) Institutional Collaboration Services
e) Web Sites
The Information Services Security Department will monitor
Internet traffic for evidence of confidential data that has been
transmitted in an insecure/unencrypted format.
The Information Services Security Department will inform
identified individuals of policy violations and will make
educational awareness material available to curtail future
incidents.
The following features shall be required when purchasing
encryption products:
a) The vendor must be financially stable.
b) The product shall employ features that enhance system
integrity, such as self testing, to the maximum degree possible.
Web servers using SSL, the certificate shall be purchased from a
recognized Certificate Authority (CA) vendor. The Texas
Department of Information Resources (DIR) has approved the
following PKI service providers:
a)
b)
c)
d)
Disciplinary
Actions
Baltimore Technologies
Digital Signature Trust Company
Entrust, Inc
VeriSign, Inc
Violation of this policy may result in disciplinary action which may
include termination for employees; a termination of employment
relations in the case of contractors or consultants; or suspension or
expulsion in the case of a student. Additionally, individuals are
subject to loss of UTMB IR access privileges, civil and/or criminal
prosecution.
Page 4 of 4
UTMB INFORMATION RESOURCES PRACTICE STANDARD
Section 1
Subject 2
Security Management
Data Transfers/Communications
Practice Standard 1.2.9 Data Encryption Requirements
References





02/28/2009
05/25/2012
-Effective
-Revised
Information Security Officer-Author
Texas Administrative Code, Chapter 202
The University of Texas System – UTS-165
UTMB IR 2.19.6 - Acceptable Use of Information Resources
UTMB IR 1.0.1 - IR Security Policy Approval Standards
UTMB IR 1.0.2 - IR Security Management Practice Standards
Approval Process
Page 5 of 4