Encryption of university data

[Stephen C Gay <sgay () KENNESAW EDU>]

I am a security engineer at a medium sized university and we have begun
discussing the possibility of encrypting data at the workstation &
network share level. It is our goal to offer a technical solution for
the secure movement & storage of sensitive data to campus users. I
recognize that encryption is a proverbial "double edged sword" and that
unlawful data may be stored on University resources. One possible way to
get around this would be a key escrow which, with proper authorization,
would allow specified administrators to reset the encryption hash &
decrypt the data. This would resolve any legal investigation issues.

Encryption policy and procedures seem to be scarce, but Cornell has
adopted a draft in which authorized university officials can demand (or
reset?) the encryption key. On the other hand another university
actually lets you download PGPdisk from their Information Security site,
but I can find no reference of policy or procedures outlining its use.
Other examples which I found seem to reenforce this very diverse
approach to a singular technology.

I'm interested in learning what the group thinks about the use of
encryption in an educational environment and how it may (or may not)
have been implemented in your respective organizations.

Warm regards,
-stephen

-----------------------------------------------------------
Stephen C. Gay
CNE, MCSE, Security+
Information Security Engineer
Kennesaw State University
sgay () kennesaw edu
-----------------------------------------------------------