Encryption

Purpose

The purpose of the Encryption Policy is to outline user expectations regarding encryption algorithms when accessing Institutional Data or using University Information Technology Resources.

Policy

It is Lynn University’s Department of Information Technology (IT) policy to limit the use of encryption to those algorithms that have received public review and acceptance, and must have been proven to work effectively. All requests to encrypt hard drives, files, databases or any other information technology resource must be submitted and approved by the IT Department.

All web sites; public or private, hosted by Lynn University or hosted by 3rd parties, collecting personal information require the use of SSL certificates. The issuing and maintenance of certificates must be made to the IT Department and are assigned and implemented by the IT Department.

Definitions

Encryption —the process of converting data through software into a non-human readable form typically via a password or phrase (which is also used to decrypt the file when the information is to be accessed).

Information Technology Resources-are assigned computer accounts, email services, and the shared University network(s), which includes resources, staff and facilities operated by the University, whether owned, leased, used under license or by agreement, including, but not limited to: telephones (including Electronic Devices) and telephone equipment, voice mail, SMS, desktop laptop computers, electronic devices, hardware, software, networks, computing laboratories, databases, files, information, software licenses, computing-related contracts, network bandwidth, usernames, passwords, documentation, disks, CD-ROMs, DVDs, magnetic tapes, and other electronic media or storage devices. Email, chat, facsimiles, mail, any connection to the University's network(s) or use of any part of the University’s network(s) to access other networks, connections to the Internet that are intended to fulfill information processing and communications functions, communication services, hardware, including printers, scanners, facsimile machines, any off-campus computers and associated equipment provided for the purpose of University work or associated activities.

Institutional Data - is any information, including Directory Information, PII, and Student and Employee Financial Information, and Public Information that can be linked to any individual, including but not limited to, students, faculty, staff, patients, or contractors. Institutional data and all applications storing and transmitting such data, regardless of the media on which they reside, are valuable assets, which the University has an obligation to manage, secure, and protect.

Employee Financial Information—that information the University has obtained from an employee in the process of offering a benefit or service. Offering a benefit or service includes all University sponsored benefit plans and University financial services such as flexible spending accounts, and personal payroll services. Examples of employee financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Student Financial Information—that information the University has obtained from a student in the process of offering a financial product or service, or such information provided to the university by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student's parent when offering a financial aid package, and other miscellaneous financial services as defined in 12 CFR 225.28. Examples of student financial information include bank and credit card account numbers, income and credit histories and social security numbers, in both paper and electronic format.

Procedures/Guidelines

Not applicable.

For more information about this policy, contact Information Technology.

Policy updated on: Oct. 24, 2018