Encryption Policy

ROWAN UNIVERSITY POLICY

Title: Encryption Policy
Subject: Information Security
Policy No: ISO:2016:05 
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Chief Information Officer
Responsible Officer: Information Security Officer
Date Adopted: 04/01/2016
Last Revision: 03/20/2025
Last Review: 03/20/2025

I.  PURPOSE

The purpose of this policy is to provide Rowan University communities guidance on the use of encryption to protect Rowan University's information resources that contain, process, or transmit confidential and/or sensitive information.

II.  ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and the Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy.

III.  APPLICABILITY

This policy applies to all employees, faculty and staff; student workers, including interns whose job function falls within scope of this policy by virtue of the types of data access which they are granted, either explicitly or implicitly (such as access to network shares or documents containing data covered by the scope of this policy); and, all contractors, vendors and any other third parties entrusted with sensitive data.

IV.  DEFINITIONS

Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V.  POLICY

1. It is the policy of Rowan University to employ encryption to mitigate the risk of disclosure or alteration of confidential and or sensitive information within Rowan University's information systems infrastructure or through outsourced services, such as cloud storage and software as a service.  
2. Requirements
   1. All laptop computing devices owned by Rowan must employ whole disk encryption, as defined in this policy, to protect University data regardless to how sensitive this data is.
   2. All Rowan University owned and BYOD desktop computing devices containing Rowan's confidential and/or sensitive data must employ whole disk encryption, as defined in this policy, to protect this data.
   3. All Rowan University owned and BYOD mobile devices, such as tablets and smartphones, containing Rowan confidential and/or sensitive data must employ encryption, as defined in this policy, to protect this data.
   4. Databases and network shared systems containing sensitive data not housed in a University approved datacenter must be encrypted.
   5. Data in motion: End user facing connections over which confidential or sensitive data may be exchanged should be encrypted in transit when leaving a datacenter to prevent unintended exposure of data where technically practicable.
   6. All portable media containing Rowan University confidential and/or sensitive data must employ encryption, as defined in this policy and the Workstation Use and Security Policy, to protect this data.
   7. All data contained within email classified as confidential or sensitive leaving Rowan University's managed datacenters must employ encryption in transit where technically practicable, as defined in this policy, to protect this data in transit.
   8. Portable computing devices and desktop computing devices that contain Rowan confidential or restricted data solely in transient data files (i.e. files that do not remain on the computing device after a system power down or reboot) are not required to employ whole disk encryption to protect the data, but it is highly recommended to do so when feasible.
   9. Encryption implementation standard
      1. Only encryption solutions approved by the offices of the Chief Information Officer and Information Security Officer may be utilized to satisfy the requirements of this policy.
      2. The whole disk encryption solution will centrally manage whole disk encryption client software for all systems, including encryption format, key management, and logging.
      3. Based on the classification level assigned to a data asset, data at rest shall be encrypted in accordance with the university Information Classification Policy when the data does not reside in a Rowan University managed and physically secured data center.
      4. Based on the classification level assigned to a data asset, data in transit, external to Rowan University managed data centers, shall be encrypted in accordance with the university Information Classification Policy.
      5. The exporting or international use of encryption systems shall be in compliance with all United States federal laws (especially the US Department of Commerce's Bureau of Industry and Security's Export Administration Regulations) or appropriate international laws.
      6. Technology owners will maintain documented procedures for supported cryptographic algorithms, by data classification level, based on documented baselines provided and maintained by ISO. Technology owners' procedures may include accommodations for each technology agreed upon between the technology owner and ISO.
      7. Technology owners, in accordance with ISO standards, will maintain documented procedures for cryptographic key management which include documentation on the processes of:
         • Generating cryptographic keys
         • Distributing cryptographic keys
         • Escrowing cryptographic keys
         • Enabling authorized users to access stored cryptographic keys
         • Changing and updating cryptographic keys
         • Revoking cryptographic keys
         • Archiving cryptographic keys
         • Auditing and logging cryptographic key management
      8. Rowan University retains the right to decrypt data using the centrally maintained key(s) to support operational requirements or when approved by the ISO, CIO or general counsel.
   10. Deployment responsibilities
       1. It is the responsibility of the Data Owner and Technology Owner to ensure that systems requiring encryption are identified, and that encryption is properly deployed on these systems
   11. End user responsibilities
       1. Users must report any known, unencrypted restricted data on portable computing devices to IRT support staff and request assistance in removing the data or acquiring encryption software.
       2. Users must not attempt to disable, remove, or otherwise tamper with the encryption software
3. Special Circumstances for Rowan-Virtua SOM
   1. Due to the highly confidential and/or sensitive nature of data used at the Rowan-Virtua School of Osteopathic Medicine (Rowan-Virtua SOM), all devices, including but not limited to those referenced above in sections E through F, must employ whole disk and USB encryption.
   2. Exceptions to Special Circumstances
      1. Any Rowan-Virtua SOM device which has the sole purpose of serving multiple users (not assigned to an individual, i.e Classroom/Lab devices) is explicitly exempt from having USB encryption enabled, provided the machine is not used to read, store, or access confidential and/or sensitive data.
      2. Documentation of these devices must be communicated to the Information Security Office (ISO) in writing at the time the device is placed into service or before the USB encryption has been disabled. The ISO will maintain a master list of all devices for which USB encryption has been disabled.
      3. Any exception that does not meet the above requirements must be approved by the ISO. All requests must be made using the Rowan Policy Exception form and be submitted to the ISO for approval by the Information Security Officer.

VI. POLICY COMPLIANCE

Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes. Any exceptions to this policy must be approved by the Information Security Office

By Direction of the CIO:

Mira Lalovic-Hand,
SVP and Chief Information Officer