[ skip to content ]

More Information about this image

Handbook and paperwork for the newly hired.

Old Dominion University

Information Technology Standard

02.5.0 Encryption Usage and Key Escrow Standard

Date of Current Revision or Creation: January 1, 2022

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

  1. Purpose

    The purpose of this compliance standard is to establish guidelines for the use of encryption to secure University information in transit on a network or stored on any form of media.

  2. Definitions

    Encryption: Encrypting or scrambling data to assure confidentiality and integrity.

    In Transit: Data being moved from one location to another.

    At Rest: Data stored in a location

    ITS is the acronym for the official name of Information Technology Services.

    Escrowing: Storing and managing key and/or certificates in a system to protect against lost or stolen keys or certificates.

    Proven Standardized Algorithms are ciphers or methods of encryption that are either selected as official methods for the Federal Information Processing Standard or methods that have experienced intense scrutiny and have widespread use.

    User includes anyone who accesses and uses the Old Dominion University information technology resources.

  3. Standards Statement

    1. Encryption Usage

      Only industry standard algorithms and methods will be used as the basis for encryption technology. Accepted methods are available from ITS upon request.

      Public and private key sizes and algorithms must meet the current best practices for industry standard encryption. Hashing algorithms for digital signatures or password obfuscation with weaknesses such as MD5 and SHA1 should not be used.

      IT Security will follow a documented response procedure for when keys are compromised.

      ODU must have a secure key management process for the administration and distribution of encryption keys.

      ODU must generate all encryption keys through an approved encryption package and securely store the keys in the event of key loss due to unexpected circumstances.

      Encryption must be used during transmission of sensitive data commensurate with sensitivity and risk.

      Encryption should be used for all transmission of data when possible.

    2. Key and Certificate Management

      1. In Transit Encryption

        1. Keys and Certificates for in transit Encryption should be protected from incidental release and not transmitted through insecure methods.

        2. These keys must be changed if they are compromised.

      2. At Rest Encryption

        1. Escrowing keys and certificates are essential for disaster recovery and business continuity. Keys and certificates for critical business services must be escrowed with ITS Security. This includes any keys used by systems or users to protect documents or data.

      3. Personal Encryption

        1. Keys used as personal credentials must be escrowed by the user.

        2. Keys used for personal at rest encryption must be escrowed by ITS Security or through an approved system.

    3. Encryption Outside of the United States

      Users must comply with Federal law regarding the development and use of encryption outside of the United States.

  4. Procedures, Guidelines & Other Related Information

    Federal and State Law

    University Policy 3500 - Use of Computing Resources

    University Policy 3504 - Data Classification

    University Policy 3505 - Information Technology Security

  5. History

    Date Responsible Party Action
    October 2008 ITAC/CIO Created
    October 2010 ITAC/CIO Reaffirmed
    October 2011 ITAC/CIO Reaffirmed
    March 2014 IT Policy Office Minor rewording for clarity
    Number revision and departmental name change
    May 2018 IT Policy Office
    Reviewed; definitions and links updated
    January 2022 IT Policy Office Reviewed and updated links; minor wording changes

Site Navigation

Experience Guaranteed

Enhance your college career by gaining relevant experience with the skills and knowledge needed for your future career. Discover our experiential learning opportunities.

Academic Days

Picture yourself in the classroom, speak with professors in your major, and meet current students.

Upcoming Events

From sports games to concerts and lectures, join the ODU community at a variety of campus events.