Professional Documents
Culture Documents
Data Ownership
1) All data is the property of American Water. The service provider has no claim to the American Water data what so ever. The service Provider shall not access American Water data other than for purposes of: a. Conducting normal support or maintenance activities. b.
Data in Motion
1) All American Water data should be encrypted during transmission using a dynamically generated key, distributed via an industry standard public key exchange protocol.
Data at Rest
1) All American Water data should be encrypted while at rest using a unique key used specifically for American Water data. a. Key management should follow and industry best practices such as NIST Special Publication 800-57, NIST DRAFT Special Publication 800-130 b. The burden of key management rests solely with the Service Provider
Equipment upgrades
1) If the service provider, upgrades equipment and is required to send a system, hard drive, or solid state drive, to a to a 3rd party vendor any encrypted American Water will be considered secure if the encryption key has never been stored on the same piece of equipment. If the key has every been stored on the same piece of equipment, at minimum the key must be securely overwritten
accordance with the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, ideally the entire device shall be cleared and sanitized.
Equipment Disposal
1) If the service provider, deactivates and disposes equipment such as a system, hard drive, or solid state drive any encrypted American Water will be considered secure if the encryption key has never been stored on the same piece of equipment. If the key has every been stored on the same piece of equipment, at minimum the key must be securely overwritten accordance with the US Department of Defense clearing and sanitizing standard DoD 5220.22-M, ideally the entire device shall be cleared and sanitized.
c. d. e. f.
Logging