Dakota State University students walking around campus

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Majors & Degrees

Search

Popular searches

smiling woman

Rise with us

DSU is a place where innovation meets opportunity. We are a nationally recognized leader in technology-driven education, constantly pushing the boundaries of what’s possible. With hands-on learning experiences, expert faculty, and cutting-edge facilities, we prepare you for modern careers. Choose from a wide range of affordable, forward-thinking programs that allow you to shape your own path. Your future begins today.

Visit DSU

Home Encryption

Encryption

Policy 14.14

Approved by: President
Responsible Officer: Chief Information Officer
Responsible Office: Information Technology Services
Originally Issued: 02/09/2026
Last Revision: New
Category: Technology

Related Policies

SD BOR 7.7 Personally Identifiable Information
SD BOR 7.4 Security of Information Systems
DSU 14.3 - International Travel and Technology

I. Reason for Policy

Dakota State University (DSU) is committed to protecting the confidentiality, integrity, and availability of University data, including information classified as Highly Sensitive, Restricted, or Internal. Encryption safeguards University data stored on devices (data at rest) and transferred across networks (data in transit). This policy establishes requirements for applying encryption to University data and systems and supports compliance with SDBOR requirements, federal regulations, and institutional security standards.

Scope
This policy applies to all University faculty, staff, contractors, affiliates, and third parties who access, store, process, transmit, or manage Institutional data. It applies to:

  1. All system-owned devices, servers, storage media, and cloud services.
  2. Institutional data as defined and classified under the DSU Data Classification Policy, including all Highly Sensitive, Restricted, or Internal data, regardless of medium, format, or storage location. Until such policy is formally adopted, Non-Public Data may not be stored on personal devices. All methods of transmitting University data across internal or external networks.

II. Definitions

  1. CIO (Chief Information Officer). Campus Chief Information Officer/Vice President of Technology is the department head for the DSU (Dakota State University) technology department.
  2. Data Trustee. Data Trustees are the university officials with authority over institutional data or the university’s use thereof. Data Trustees are accountable for protecting, managing, and ensuring the integrity of institutional data in accordance with policies, state law, and federal law.
  3. Full Disk Encryption (FDE). Encryption of all data on a storage device, permitting access only after successful authentication.
  4. File Encryption / Folder Encryption. Encryption applied to specific files or folders requiring authentication for access.
  5. Institutional Data. Data for which institutional resources or institutionally owned, leased, licensed, or provided technology systems are used to create, manage, transmit, process, or store it, including administrative, instructional, operational, and research data. When institutional systems, devices, funding, or networks are used to create or process research data, the resulting data is considered institutional data regardless of where the researcher is physically located or which device is used at the moment of creation.
  6. ITS: Information Technology Services. The official technology department for Dakota State University and subsumed departments.
  7. Non-Public Data. All data classified as Highly Sensitive, Restricted, or Internal under the University Data Classification Policy.
  8. System-Owned Device. A device (laptop, desktop, mobile device, etc.) owned, managed, and maintained by the University.
  9. VPN (Virtual Private Network). A secure service enabling authorized users to connect to University resources over public networks.
  10. Virtual Desktop Infrastructure (VDI). VDI enables the hosting of desktop environments on a central server, allowing users to access their desktops remotely from various devices, enhancing flexibility and centralizing desktop management.

III. Statement of Policy

  1. General Requirements
    1. University data classified as Non-Public Data must be encrypted both at rest and in transit.
    2. ITS shall use industry-recognized encryption standards.
    3. System-owned devices that store University data must use Full Disk Encryption (FDE) whenever technically feasible.
    4. File- or folder-level encryption may be used when FDE is not feasible or when additional protection is required for particularly sensitive subsets of data.
  2. Data at Rest
    1. All system-owned laptops, mobile devices, servers, portable drives, and removable media storing Non-Public Data must be encrypted.
    2. Cloud services used to store Non-Public Data must provide encryption that meets or exceeds institutional standards.
    3. When device-level encryption cannot be implemented, files containing Non-Public Data must be encrypted before storage.
    4. Encryption measures shall not be disabled or bypassed.
  3. Data in Transit
    1. Non-Public Data must be encrypted during transmission over wired or wireless networks.
    2. Secure communication protocols or encrypted file transfer methods must be used.
    3. Web services that transmit or display University data must use TLS or equivalent protections.
    4. Encryption of public data is recommended to preserve integrity and prevent unauthorized modification.
  4. Key Management
    1. Encryption keys must be generated, stored, and protected in accordance with ITS security practices.
    2. Keys must be strong enough to resist brute-force attacks and stored separately from encrypted data.
    3. Backup keys must be uniquely managed to prevent unauthorized access.
    4. In the event of key compromise or data breach, affected keys must be invalidated and replaced.
  5. Third-Party Services
    1. Vendors storing, processing, or transmitting University data must comply with this policy and applicable contracts, including encryption requirements.
    2. Service agreements must include appropriate security controls and key-management expectations.
  6. Remote Work and International Travel
    1. Remote access to Non-Public Data must occur through secure University services such as VPN or VDI.
    2. Under DSU 14.3, international travelers shall avoid carrying Non-Public Data on devices whenever possible and instead use VDI for access.
    3. Devices used during international travel must comply with the International Travel and Technology Policy (14.3).
  7. Reporting Requirements
    1. Lost, stolen, or compromised encrypted devices or media must be reported immediately to ITS.
    2. Suspected or confirmed security incidents must be reported in accordance with the Incident Handling Policy (06-04-00).
  8. Enforcement. Individuals who violate this policy may be subject to:
    1. Disciplinary actions under applicable employee, student, or contractor rules;
    2. Revocation of access privileges;
    3. Actions outlined in SDBOR 7:1 and 7:4 regarding unauthorized access, misuse, or security breaches.

Exclusions

N/A

Exceptions

Any exceptions to this policy must be approved by the CIO.

IV. Procedures (Major)

  1. Data at Rest Procedures
    1. ITS implements and manages FDE for system-owned devices.
    2. ITS ensures servers and storage solutions used by the University apply appropriate encryption controls.
    3. Data Trustees verify that third-party storage locations meet encryption requirements.
  2. Data in Transit Procedures
    1. ITS configures and manages secure communication protocols, VPN services, and certificate management.
    2. Users transmitting Non-Public Data must use approved encrypted transfer methods.
  3. Key Management Procedures
    1. ITS oversees key generation, storage, recovery, and replacement processes.
    2. ITS conducts periodic reviews of encryption algorithms and key lengths for compliance and security relevance.
  4. Compliance and Monitoring
    1. ITS periodically reviews encryption implementations to ensure compliance with policy, standards, and regulatory requirements.
    2. Non-compliance issues are escalated to the CIO.

V. Related Documents, Forms, and Tools

NIST Special Publication 800 - 111 - Guide to Storage Encryption

NIST Special Publication 800 - 171 - Protecting Controlled Unclassified Information

VI. Policy History

Adopted: 02/09/2026

Policies

Policy Request Form