The following tables define baseline encryption and key management controls for protecting Institutional Data.
|EN||1||Institutional Data transmitted over a network connection is encrypted||Optional||Recommended||Required|
|EN||2||Institutional Data stored on Electronic Media is encrypted||Optional||Recommended||Recommended|
|EN||3||Data stored on removable Electronic Media is encrypted||Optional||Recommended||Required|
|EN||4||Data stored on a mobile computing device is encrypted||Optional||Recommended||Required|
|EN||5||Remote administration of an Information System is performed over an encrypted network connection||Required||Required||Required|
|EN||6||Industry accepted algorithms are used where encryption and/or digital signing are employed||Recommended||Required||Required|
|EN||7||Key sizes of 128-bits or greater are used where symmetric key encryption is employed *||Recommended||Required||Required|
|EN||8||Key sizes of 1024-bit or greater are used where asymmetric key encryption is employed *||Recommended||Required||Required|
|EN||9||Keys are changed periodically where encryption is employed||Recommended||Required||Required|
|EN||10||Keys are revoked and/or deleted when they are no longer needed to perform a business function||Recommended||Required||Required|
ES-7 and ES-8: These controls establish baseline key sizes for symmetric key encryption (e.g. AES and 3DES) and asymmetric encryption (e.g. RSA and Diffie-Hellman). However industry trends illustrate a gradual movement toward larger key sizes. For example, the National Institute of Standards and Technology now requires 256-bit and 2048-bit keys for certain aspects of personal identity verification when dealing with federal information systems (see Special Publication 800-78). Data Custodians should evaluate any contractual obligations that might exist when selecting an appropriate key size.