Policy for cryptography (A.10)

On this page you will find the current policy on encryption, and information on how Aarhus University uses encryption to protect information.


Objective

The objective of Aarhus University's policies and rules for cryptography is:

  • to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

Cryptographic controls (A.10.1)

A policy on the use of cryptographic controls for protection of information shall be developed and implemented. (A.10.1.1)

In order to maintain appropriate protection measures, unit management must ensure that Aarhus University never loses access to its information assets. A sufficient level of accessibility should be achieved through policies and concrete guidelines, e.g. for the use of cryptography at information processing facilities. This includes procedures for the handling and storage of passwords and encryption keys, independent of individuals. The guidelines must always comply with statutory requirements in the Access to Public Administration Files Act or the Danish Public Administration Act, for example. 

Sensitive and confidential information must always be encrypted when stored on mobile devices. If it is not possible to use encryption (for example on mobile devices such as tablets and smartphones), you should refrain from processing sensitive or confidential data on the device.

Passwords and similar must never be stored unencrypted: neither on mobile device nor stationary equipment. Passwords must be encrypted using recognised encryption technology.

E-mails and data containing confidential information must always be encrypted during transmission over open networks.

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. (A.10.1.2)

A procedure must be in place for secure replacement, use and protection of associated encryption keys.

A number of initiatives have been planned and established centrally in order to comply with the above requirements:

  • Re. A.10.1.1 Use of encryption:
    • AU IT has established various guidelines on encryption and the use of secure email.
  • Re. A.10.1.2 Administration of keys:
    • AU IT has established procedures for this regarding managed AU equipment.
    • With regard to private equipment, and equipment purchased locally and not through the university's IT support departments, the owner is responsible for complying with the above policy for encryption keys.

This means that if you keep your critical, confidential or sensitive information stored in the solutions offered centrally, the above compliance is ensured by Aarhus University. 

If you have other needs based on your risk assessment, these must be ensured locally.

QUESTION GUIDE

Consider the question guide as a tool to navigate the requirements of the policy:

  • How is an adequate level of encryption (based on data classification) ensured when storing, processing and transferring AU information?
  • How are the necessary procedures for handling and protecting encryption keys in devices ensured and documented?

Cryptography/Encryption for cyber security purposes is the conversion of data from a readable format to a coded format. Encrypted data can only be read or processed once it has been decrypted. 

Encryption is the foundation for data security. It is the simplest and most important way to ensure that information on a computer system cannot be stolen and read by people with malicious purposes.