Re: AES-256 and Sensitive Documents

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

I suggest doing it in-house.  Going through a third party introduces other concerns.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Oberlin, Craig
Sent: Wednesday, November 28, 2018 1:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] AES-256 and Sensitive Documents

Any ecommendations on Open/Closed Source solutions for the web application to upload to?

Craig Oberlin, CISSP
Sr. Director IT, Users Services & Chief Cyber Security Officer
Coast Community College District
P 714.438.6808 coberlin1 () cccd edu<mailto:coberlin1 () cccd edu>

[cid:image001.png@01D48727.DBC5E1C0]

1370 ADAMS AVENUE, COSTA MESA, CA 92626


From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, 
Mark B
Sent: Wednesday, November 28, 2018 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] AES-256 and Sensitive Documents

For such things we would provide a link to a Web application that would allow the user to upload the document instead.  
Let https encrypt the document in transit.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ronald Loneker
Sent: Wednesday, November 28, 2018 1:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] AES-256 and Sensitive Documents

Good Afternoon All -

Our Financial Aid office would like to have students and their parents, when e-mailing financial aid documents 
containing sensitive information, to comply with federal regulations saying the documents should be e-mailed with 
AES-256 encryption.

Since TLS 1.3 was released and is now in use in Chrome, the TLS 1.3 protocol uses only AES-128 encryption so we're 
considering asking our students and their parents, if e-mailing sensitive documents, to encrypt them with a yet to be 
decided encryption application at the AES-256 level and attach the encrypted file to the e-mail being sent to our 
Financial Aid office.  We would provide links to easy to use, free encryption software and provide directions on how to 
download, install and use it.  We are also considering adding this software to our computer lab images for those 
students who want to e-mail documents but don't have access to a computer at home.

Right now, the other web browsers seem to be using TLS 1.2, currently operating at the AES-256 level, with Firefox and 
Safari saying they expect to move to TLS 1.3 in the near future at some point.

I'm curious as to what other schools are doing, and whether they are putting any sort of language on their website 
saying that documents like this should be encrypted to prevent unauthorized access to the data.

Please note that I am not looking for vendor solicitations.

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Henderson Hall, Room 202C
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229<tel:973-290-4229>

e-mail:  rloneker () cse edu<mailto:rloneker () cse edu>


---------------------------------------------------------------------------------------------------------------------

*** NOTICE *** This message was sent from an external sender and did not originate from Coast Community College 
District.  If you are unsure of the authenticity of the sender, DO NOT click any links or download any attachments.  
Instead, click on FORWARD and address to phishing