Examples of Cryptographic control policy

Uncategorized 5 Minutes

1. POLICY STATEMENT

A policy on cryptographic controls has been developed with procedures to provide appropriate levels of protection to sensitive information whilst ensuring compliance with statutory, regulatory, and contractual requirements. The  Data Handling Procedures establish requirements for the use of encryption techniques to protect sensitive data both at rest and in transit. This policy defines the controls and related procedures for the various areas where encryption and other cryptographic techniques are employed.

2. SCOPE AND APPLICATION OF THE POLICY

Cryptographic controls can be used to achieve different information security objectives, e.g.:

  • Confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted
  • Integrity/authenticity: using digital signature certificates or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information
  • Non-repudiation: using cryptographic techniques to provide evidence of the occurrence of an event or action
  • Authentication: using cryptographic techniques to authenticate users and other system entities requesting access or transacting with system users, entities, and resources

3. DEFINITIONS

  • Cryptography: a method of storing and transmitting data in a form that only those it is intended for can read and process.
  • Encryption: the process of converting data from plaintext to a form that is not readable to unauthorized parties, known as ciphertext.
  • Key: the input that controls the process of encryption and decryption. There are both secret and public keys used in cryptography.
  • Digital Certificate: An electronic document that is used to verify the identity of the certificate holder when conducting electronic transactions. SSL certificates are a common example that has identified data about a server on the Internet as well as the owning authority’s public encryption key.
  • Digital Signature Certificate: a type of digital certificate that proves that the sender of a message or owner of a document is authentic and the integrity of the message or document is intact. A digital signature certificate uses asymmetric cryptography and is not a scanned version of someone’s handwritten signature or a computer-generated handwritten signature (a.k.a. an electronic signature).
  • SSH Keys: A public/private key pair used for authenticating SSH servers and establishing a secure network connection.

4. USE OF CRYPTOGRAPHIC CONTROLS POLICY

  1. Approved encryption methods for data at rest
    1. The Data Handling Procedures require that the storage of sensitive data in some locations be encrypted. Refer to the Data Handling Procedures for specific requirements.
    2. Refer to the Procedures for Encrypting Data for approved encryption methods and key management procedures.
  2. Encryption methods for data in motion
  3. The Data Handling Procedures require the transfer of sensitive data through a secure channel. A secure channel is an encrypted network connection.
  4. Various methods of encryption are available and generally built-in to the application. The user should be aware of the data connection being used to transmit sensitive data and if encryption is enabled for that connection.
  5. Encryption is required for:
    • The transport of sensitive files (secure FTP, SCP, or VPN usage to encrypt sensitive data for network file access of unencrypted files).
    • Access to sensitive data via a website, web application, or mobile app. Encryption is required for accessing sensitive data from anything with a web interface, including mobile devices (i.e. use of HTTPS to encrypt sensitive data).
    • All network traffic for remote access to the virtual desktop environment.
    • Transport of sensitive data that is part of a database query or web service call (examples SQL query to retrieve or send data from database or a Restful web service call to retrieve or send data from a cloud application).
    • Privileged access to network or server equipment for system management purposes.
  6. Encryption of Email
    • The Data Handling Procedures require that when emailing some sensitive data the message and attachments be encrypted.
    • Refer to the Procedures for Encrypting Data document for instructions on encrypting Email.
    • Use of digital signature certificates
      • Digital signature certificates are a way to guarantee the authenticity and integrity of an Email message or document.
      • Digital signature certificates are not used for encrypting data.
      • Digital signature certificates are not the same as an electronic signature or e-signature which may be a digitized image of a handwritten signature or other image used to identify the author of a message.
      • E-signatures are not legally binding like a digital signature certificate because they are vulnerable to copying and tampering.
      • Users may use a digital signature certificate to digitally sign email messages.
      • Users may use a digital signature certificate to digitally sign some types of documents or forms.
      • Refer to the Procedures for Using Digital Signatures for instructions on how to acquire and utilize digital signature certificates.
    • Use and management of SSH keys
      • Refer to the Standards for the Use of SSH Keys document for guidance on when and how to utilize SSH keys.
    • Use and management of SSL digital certificates
      • WCU web servers (or devices with a web interface) that support secure (HTTPS) connections must have an SSL certificate installed.
      • Refer to the SSL Certificate Decision Matrix document for choosing the right type of certificate, the WCU certificate standards, and certificate management procedures.
    • Use of encryption
      • Classified information shall only be taken for use away from the organization in an encrypted form unless its confidentiality can otherwise be assured. Classified information that is taken away from the organization for use must be held on an encrypted USB pen drive provided by Computing and Media Services.
      • Procedures shall be established to ensure that authorized staff may gain access, when needed, to any important business information being held in encrypted form. The unique encryption key will be known only to the user and Computing and Media Services (Held in a secure repository).
      • The confidentiality of information being transferred on portable media or across networks must be protected by the use of appropriate encryption techniques. The VPN provides an encrypted tunnel between on-site resources and off-site access points. The VPN should be used in preference to the transfer of data by mobile media.
      • Encryption shall be used whenever appropriate on all remote access connections to the organization’s network and resources. The unique encryption key will be known only to the user and Computing and Media Services. (Held in the secure repository).
    • Managing electronic keys
      • A procedure for the management of electronic keys, to control both the encryption and decryption of sensitive documents or digital signatures, must be established to ensure the adoption of best practice guidelines and compliance with both legal and contractual requirements. Computing and Media Services will manage all electronic keys and provide users with an appropriate encryption service when requested.
    • Using and receiving digital signatures
      • The important business information being communicated electronically shall be authenticated by the use of digital signatures; information received without a digital signature shall not be relied upon. Computing and Media Services will manage all electronic keys and provide users with an appropriate encryption service when requested.

5. REGULATION OF CRYPTOGRAPHIC CONTROLS

Cryptographic controls should be used in compliance with all relevant agreements, legislation, and regulations. The following items must be considered for compliance:

  1. Restrictions on import or export of computer hardware or software used to perform cryptographic functions or are designed to have cryptographic functions added to it.
  2. Restrictions on the use of encryption, especially in foreign countries
  3. Methods of access to encrypted information used by the countries’ authorities.

Legal advice should be sought to ensure compliance before encrypted information or cryptographic controls are moved across jurisdictional borders.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply