Email Encryption for the University Project
The project was established in 2006 with the aim of addressing the issue of secure transmission of sensitive documents via email, especially exam papers in preparation. This is not currently allowed by the regulations (under the Governance of the Proctors).
Increasingly there are demands to securely prepare files and send them via email. In particular there is a demand evident for a system to allow examiners to prepare papers using electronic means. This often involves examiners in different locations who currently have to circulate papers in print form via standard mail. E-mail therefore offers a quick and efficient solution as long as security can be assured. However, if encryption can be seen to work for exam preparation, then it could be utilized for circulating other sensitive documents.
At a preliminary meeting involving representatives of the Proctors Offices, OUCS, the Medical Division, the Physics Departments, and the Law Faculty, key issues were discussed. Most importantly three recommendations emerged from this (under the advice of the security team at OUCS):
- The only way to effectively maintain security was via file encryption, e.g. encoding the file so that it can only be decoded and read by nominated people. This had to be done at the point of creation (e.g. as soon as an examiner begins work on a paper using a word-processor, for example, it should be encrypted).
- OUCS, with representative users from other departments, should therefore be asked to co-ordinate a trial of the user software available for encryption. Two packages were chosen - PGP and GPG. The first is a commercially available product and the second is a free piece of software.
- Any machine storing exam papers and other sensitive material (e.g. in a Faculty/Department Office) should be kept off the network.
Following an initial trial at OUCS and the Faculty of Law (see report), permission was granted, by the Proctors Office, to run a full working trial of PGP Universal Series to offer email encryption. For the purposes of the trial:
- OUCS will be running PGP Universal Server allowing central management of keys, policies and software.
- Volunteer departments have been identified, and training will be offered to the relevant IT support staff.
- Those departments will be provided with 10-15 licences for PGP Desktop which will run on either Windows or MAC.
- The volunteer departments will then identify users to trial the software and report back on any findings