Standard Operating Procedure

10.1.1 – Data Encryption 

Data Protection Using Encryption

Version: 1.0
Status: Published – 6/12/18
Contact: [email protected]

Purpose

This procedure provides operating instructions for using cryptographic controls to protect sensitive
data. Sensitive data must be protected from exposure to unauthorized persons or when it is
exchanged with authorized recipients outside the normal security boundaries of the VCCS
network. Authorized recipients may include other VCCS employees, consultants, cloud services
providers, or other entities with approved non-disclosure and acceptable use agreements on file.

Implementation Guidance

Special instructions or conditions for using this procedure:

 Access to VCCS sensitive data is normally controlled and managed by security permissions
assigned through authorized user roles and responsibilities. Cryptographic controls must be applied
to copies made from original source data and not the original source data itself.
 When exchanging sensitive data electronically secure the data using cryptographic controls prior to
transmission or exchange the data using a secure transmission process with verification of receipt
by the other party to the transmission. Electronic data exchange methods include but are not
limited to email, secure shell file transfer protocol (SFTP), application programming interface
(API), or electronic data interchange (EDI) processes.
 Sensitive data exchanged on removable media must be secured using cryptographic controls. The
transmission of removable media must be tracked using a verifiable shipping service with electronic
tracking and signature on receipt. Removable media includes but is not limited to magnetic tape
media, optical disk media, magnetic disk media, uniform serial bus (USB) devices, and hard drive
storage when removed from the host system.
 All VCCS owned mobile devices and unattended publically accessible equipment used to access
sensitive data must be secured using centrally managed cryptographic controls to prevent loss of
memory resident sensitive data in the event the device is lost or stolen.
 This document contains instructions for specific encryption methods depending on the type of data
exchanged and the transmission methods used. For all cases not identified or referenced in this
document the user must obtain approval of an acceptable data exchange method from the VCCS
institution’s Information Security Officer prior to transmission of the data.

2016-03-20 Page 1 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

Contents
Transmitting Sensitive Data Using Email......................................................................................2
Transmitting Sensitive Data over the Network using TLS.............................................................3
Transmitting Sensitive Data Using Secure Shell (SSH).................................................................4
Transmitting Sensitive Data Using a Virtual Private Network......................................................5
Protecting Sensitive Data at Rest....................................................................................................6

Transmitting Sensitive Data Using Email

Transmission of sensitive data using email is not allowed unless the data is included as an
encrypted attachment. Note that some email servers will reject or strip off unrecognized
attachments so this method is not always reliable. Send the encryption key (password) to the
recipient using an alternate communication method (cell phone) to ensure the data and the
encryption key are transmitted separately.

1) Secure a copy of the original source data

Encryption of original source data, original data sets, original documents, or original files
containing sensitive data is not permissible unless the encryption keys are managed within an
approved central encryption key repository. Copies may be encrypted and transmitted using
email only when the encryption key can be sent to the recipient of the data by an alternative
method.
 Microsoft Office documents must be encrypted using the password protection functionality built
into the Microsoft Office 2013 and later version products using strong encryption (128-bit AES)
with a SHA-2 class-hashing algorithm. Earlier versions of Microsoft Office products are not
permissible for encryption purposes.
 Adobe Acrobat X and later versions conform to the 128-bit AES encryption specification and can
encrypt PDF format documents using the built-in password protection functionality as an
acceptable alternative to Microsoft Office.
 Convert other document or file types to a supported Microsoft Office 2013, Adobe Acrobat X, or
more recent version of these products and then apply password encryption.

2) Attach the encrypted file to your email message

Using your VCCS email account, attach the encrypted file to the message and notify the
recipient that the attachment is encrypted
 Contact the recipient by telephone or by text message to convey the password used to decrypt the
encrypted data file if using password-protected encryption.
 Do not send the password by email to the recipient.

6/12/18 Page 2 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

3) Request the recipient to acknowledge receipt of your email message

Request a Delivery Receipt as well as a Read Receipt for your message. If using Microsoft
Outlook, you can also set Permission on the message to restrict forwarding by selecting the Do
Not Forward option under the Options Tab.
 The recipient will receive an email message prompting them to logon using their Microsoft
Account or by using a one-time password.
 The recipient can download the attachment but will not be able to forward the attachment
automatically to another email address.

4) Archive or delete the encrypted file

Unless there is a demonstrated need to retain a copy of the data set in encrypted format, any
copy of the original data and encrypted versions must be deleted. Only original source data is
to be retained per Library of Virginia data retention requirements.
 Any transmission of VCCS sensitive data must include a statement indicating the recipient is
authorized to use the data for its intended purpose only and that the recipient must delete or return
any VCCS sensitive data as directed when the data is no longer required.

Transmitting Sensitive Data over the Network using TLS

Transmission of sensitive data electronically over an unsecure network by two communicating
computer applications (using an application programming interface) can be accomplished using
the Transport Layer Security (TLS) protocol to allow the computers to negotiate a secure
connection for the exchange of data to provide privacy and data integrity for the duration of the
connection.

1) Negotiation for a secure connection

The connection is private (or secure) because symmetric cryptography is used to encrypt the

data transmitted. The keys for this symmetric encryption are generated uniquely for each
connection and are based on a shared secret negotiated at the start of the session.
 The server and client negotiate the details of which encryption algorithm and cryptographic keys to
use before the first byte of data is transmitted (referred to as the TLS handshake)
 The negotiation of a shared secret is both secure (the negotiated secret is unavailable to
eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of
the connection) and reliable (no attacker can modify the communications during the negotiation
without being detected).
 TLS 1.1 protocol or better is required to secure communications using this method. The TLS 1.1
protocol is required to meet the Payment Card Industry Data Security Standard (PCI DSS) standard
for securing electronic transactions involving payment cards.

2) Authenticate the communicating parties

The identity of the communicating parties is authenticated using public-key cryptography and

through encrypted password exchange. 

6/12/18 Page 3 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

 The application server establishes its identity by presenting its certificate to the other
communicating computer. This requires the use of an independently verified certificate obtained
from a trusted Certificate Authority known to both parties and installed on the application server.
 If any of the steps necessary to secure the connection fail, the connection is dropped and
communications are not allowed.
 The user of the client computer authenticates with the application using their user id / password
combination after secure communications are established at the end of the key exchange process.

3) Key Exchange

The two communicating computer applications must agree to use a common encryption key
and cipher to use when encrypting data.
 The two communicating computer applications must use the private/public key method for key
exchange and select a common cipher to use for encrypting the data to be exchanged.
 The Advanced Encryption Standard (AES) block cipher or better is required for use with TLS 1.1
for data encryption. There are various ciphers that may be used that meet the same specification as
AES but it is recommended that AES 256 bit encryption be established as the primary cipher to be
used by default where possible.
 Data integrity must be ensured using the appropriate message authentication code for the TLS
protocol selected.
 The use of TLS to secure Hypertext Transfer Protocol (HTTP) traffic constitutes the HTTPS or
HTTP Secure protocol.
 The use of TLS to secure File Transfer Protocol (FTP) traffic constitutes the FTPS or FTP Secure
protocol. This protocol is not to be confused with the use of FTP over VPN or with the use of FTP
Over SSH both valid methods for using an established secure connection to initiate data transfers.
 If the user of the client computer fails to authenticate with the application then access to the
application is denied by the server computer and data exchange is not allowed.

Transmitting Sensitive Data Using Secure Shell (SSH)

Transmission of data electronically using the SSH File Transmission Protocol (SFTP) or SSH
Secure Copy Protocol (SCP) assumes that the protocol is run over a secure channel, such as SSH,
that the server has already authenticated the client, and that the identity of the client user is
available to the protocol.

1) Secure Shell Server

Using SSH to secure transmission of data over a network requires the use of a SSH Server and
compatible Client software to enable secure communications between two computers over an
unsecure network such as the Internet.
 In order to use SSH to secure communications over the internet the VCCS institution must install a
SSH Server which supports SSH-2 public-key cryptography to authenticate the remote computer
and the user. The end user must use a compatible client application (such as PuTTY, WinSCP, or
OpenSSH) or the Secure Shell service running on a SSH Server.
 There are several ways to use SSH; one is to use automatically generated public-private key pairs to
simply encrypt a network connection, and then use password authentication to log on.
 Another is to use a manually generated public-private key pair to perform the
authentication, allowing users or programs to log in without having to specify a password. This

6/12/18 Page 4 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

method is allowable only when the public key installed on the server can be associated with the
identity of the owner of the private key used by the client to ensure its validity.
 If the connection to the SSH Server originates outside the VCCS network then appropriate
firewall restrictions must be employed. The IP Address for the client must be whitelisted
on the firewall to allow NAT connections to the SSH Server using a public IP Address
assigned to the SSH Server. The SSH Server must reside in an isolated subnet with access
restricted to only those application or user interfaces authorized to exchange data.
 At present, the GlobalScape Enhanced File Transfer service is the only authorized SSH
Server implemented at the VCCS. This service is currently only used for outgoing traffic
and key management. Presently there is no support for inbound connections.
 The Secure Copy Protocol (SCP) is another network protocol that uses SSH to establish a
secure connection between two computers to allow file transfers between them. SCP thus
uses the same mechanisms for authentication as SSH thereby ensuring authenticity and
confidentiality of data in transit. SCP is limited to file transfers only and does not support
directory listing. It is used most often as a command line program when the user has
knowledge of or other programmatic access to the remote system directory structure.

Transmitting Sensitive Data Using a Virtual Private Network

Transmission of sensitive data electronically over a public network using a virtual private network
(VPN) enables individual clients to connect to the VCCS network and access resources just as if
they were local to the network. VPN is also be used to create secure network-to-network
connections by storing a digital certificate or key to allow the tunnel to be established
automatically without administrator intervention.

1) VPN connectivity

The client initiates a VPN connection by making a request for authentication to the VPN host.
This request must use a secure VPN protocol (TLS, SSH, IPsec1, DTLS2, MPPE3) or a secure
authentication technique such as two-factor authentication (2FA) to prevent misuse of the
client credentials.
 Once the client is authenticated, all traffic through the tunnel connection is secured by encryption
before transmission and then decrypted by the receiving host at the other end of the tunnel before
continuing on to its destination. This ensures that all traffic on the unsecured public network is
encrypted and not readable by anyone who might eavesdrop on the data.
 VPN using a trusted delivery network protocol such as Microsoft’s Point-to-Point Tunneling
Protocol (PPTP) by itself does not encrypt data traffic and is not allowed. Use of a trusted delivery
network must incorporate a secure authentication protocol such as Microsoft Point-to-Point
Encryption (MPPE) for PPTP to prevent misuse of the client credentials.
 VPN hosts must not allow connectivity if the client identity cannot be securely authenticated.
 1
IPsec – Internet Protocol Security
 2
DTLS – Datagram Transport Layer Security
 3
MPPE – Microsoft Point-to-Point Encryption

Protecting Sensitive Data at Rest

Protection of sensitive data at rest includes the use of encryption to prevent unauthorized access to
data that may reside on removable media or on mobile devices. Encryption programs must be

6/12/18 Page 5 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

used to encrypt the hard drives of mobile devices used to access VCCS sensitive data, to encrypt
removable media used to transport sensitive data off premises, or to encrypt sensitive data files for
which no other compatible encryption format is available.

1) Full Disk Encryption for Mobile Devices

Laptop computers, Tablet computers, Personal Digital Assistants, Mobile Phones owned or
leased by the VCCS must incorporate full disk encryption using an encryption program with a
passphrase, password, or pin number to unlock the device for access and use.
 Mobile devices are more easily lost or stolen and can fall into the hands of an unauthorized person
who may attempt to access the device innocently or with malicious purpose. Full disk encryption
can protect all data on these devices including the operating system, settings, cache memory, or
stored data.
 The encryption keys for all such devices must be managed in a central repository so that the devices
can be decrypted if or when it becomes necessary.
 PGP Disk Encryption and Microsoft Bitlocker are two acceptable encryption programs that have
central key management repositories available.

2) Full Disk Encryption for Removable Media

Portable hard drives, USB drives, magnetic disk, and magnetic tape are some of the various
media types easily transported to exchange data or for offsite storage. Full disk encryption
using an encryption program with a passphrase, password, or pin number to unlock the device
must be used to protect any such devices used to transport or store sensitive data.
 Removable media can fall into the hands of an unauthorized person who may attempt to access the
device innocently or with malicious purpose. Full disk encryption can protect all data on these
devices including the operating system, settings, cache memory, or stored data.
 The encryption keys for all such devices must be managed in a central repository so that the devices
can be decrypted if or when it becomes necessary.
 The transfer of sensitive data using removable media must be trackable from point-to-point when
used to exchange data with a third party. A reliable shipping organization using electronic tracking
with signature upon receipt must be used to track the shipment of any media containing VCCS
sensitive data.
 The key for decrypting the data must be exchanged using a secure encryption method.

3) Data File or Data Archive Encryption

Encrypt unformatted text files, compressed file archives, media file formats, and other files
prior to exchange or transportation off-premises if they contain VCCS sensitive data.

 Encrypt these files using any encryption method previously defined for encrypting sensitive data.
Separate encryption of these types of data is discouraged due to the difficulty of centrally managing
encryption keys.

6/12/18 Page 6 of 7
10.1.1 – Data Encryption – Data Protection Using Encryption

REVISION HISTORY

Date Version Reviewer List of Changes

6/12/18 1.0 E. Pangle Initial Draft

Final Approval
Date Name Position
6/12/18 Richard Crim CIO

6/12/18 Page 7 of 7