Section 3: Encrypt DataAnchor: #YLJDBKPO
TxDOT must protect its data assets from unauthorized and unintended use when the information is being used, in transit, and at rest. Translating data into a secret code to prevent unintended recipients from reading it is commonly refered to as encryption. TxDOT uses encryption to maintain the confidentiality, ensures the integrity, and prevent unauthorized disclosure of its information. This section establishes how encryption is a part of TxDOT’s Information Protection Policy. It provides a role-based method to address the “Protect” objective of the Texas CyberSecurity Framework.Anchor: #FIHABYAK
Data that is classified as sensitive or confidential must be encrypted while in-transit and while at-rest. This includes data that is considered internal communications. Encryption at TxDOT, minimally, must meet the National Institute of Standards and Technology (NIST) publication “Federal Information Processing Standards,” FIPS 140-2. Additionally TxDOT must meet the following four requirements:
- use cryptography or alternate physical protection
- obtain public key certificates from an approved service provider
- maintain a key management system for their distribution, storage, access, and destruction
- prevent unauthorized and unintended information transfer via shared resources.
All Individuals who use TxDOT information assets and are entrusted with sensitive or confidential data must ensure the information is encrypted while in-transit and at-rest.
Information custodians. Information custodians must ensure all sensitive and confidential information is encrypted when it is transmitted, stored, or disposed.
Information owners. Information owners must ensure that sensitive and confidential data is encrypted, and that the keys used are managed and safeguarded.
Information Security Officer (ISO). The ISO is responsible for the protection of systems and communications related to TxDOT's information resources. The ISO must:
- ensure that information owners and custodians and individuals who use information resources comply with the encryption policy for sensitive and confidential data.
- provide the mechanisms to encrypt sensitive and confidential data
- verifies that encryption methods comply with FIPS 140-2 standards
Compliance and Standards
See the “Encrypt Data Standards” in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Information Protection Policy.