Purpose
To ensure that the disclosure of sensitive information to unintended recipients has been minimized.
Standard
- Encryption shall be used when the electronic transmission of information involves sensitive data that passes over the public network.
- All portable computers containing sensitive data shall employ full-disk encryption.
- Sensitivity of data will be determined by the government entity administering the data or the application.
- All remote access shall require encrypted communications. This is addressed by the standard ST002-04.1 Remote Access standard.
- If data encryption is used, the government entity administering the data or the application shall have a recovery plan for encryption keys.
- All logons that pass over the public network shall utilize an encrypted process.
Definition
Sensitive information - Confidential information as defined in North Dakota Century Code and federal regulations as well as information that has been designated as needing additional safeguards. Examples of sensitive information are social security numbers, home telephone numbers, home addresses, user IDs/passwords.
Public Network (External) - Any network infrastructure not managed by ITD and not used for the purpose of the State Government network.
Portable Computer - Laptops, Tablet PCs, and Netbooks.
Guidance
For internal hosts that have capability of using encrypted logons, it is recommended that this be used.
Policy
To provide a common encryption practice to protect sensitive information.
Scope
This standard applies to all executive branch state agencies including the University Systems Office but excluding other higher education institutions, i.e. campuses and agricultural and research centers.
Statement of Commitment
North Dakota's CIO/CTO directs that IT Policy be created to establish statewide information technology policies and standards as defined within ND Century Code (Chapter 54-59-09).
Non-Compliance
Non-compliance with this standard shall be reported to the Office of the State Auditor.