1. POLICY STATEMENT
A policy on cryptographic controls has been developed with procedures to provide appropriate levels of protection to sensitive information whilst ensuring compliance with statutory, regulatory, and contractual requirements. The Data Handling Procedures establish requirements for the use of encryption techniques to protect sensitive data both at rest and in transit. This policy defines the controls and related procedures for the various areas where encryption and other cryptographic techniques are employed.
2. SCOPE AND APPLICATION OF THE POLICY
Cryptographic controls can be used to achieve different information security objectives, e.g.:
- Confidentiality: using encryption of information to protect sensitive or critical information, either stored or transmitted
- Integrity/authenticity: using digital signature certificates or message authentication codes to verify the authenticity or integrity of stored or transmitted sensitive or critical information
- Non-repudiation: using cryptographic techniques to provide evidence of the occurrence of an event or action
- Authentication: using cryptographic techniques to authenticate users and other system entities requesting access or transacting with system users, entities, and resources
- Cryptography: a method of storing and transmitting data in a form that only those it is intended for can read and process.
- Encryption: the process of converting data from plaintext to a form that is not readable to unauthorized parties, known as ciphertext.
- Key: the input that controls the process of encryption and decryption. There are both secret and public keys used in cryptography.
- Digital Certificate: An electronic document that is used to verify the identity of the certificate holder when conducting electronic transactions. SSL certificates are a common example that has identified data about a server on the Internet as well as the owning authority’s public encryption key.
- Digital Signature Certificate: a type of digital certificate that proves that the sender of a message or owner of a document is authentic and the integrity of the message or document is intact. A digital signature certificate uses asymmetric cryptography and is not a scanned version of someone’s handwritten signature or a computer-generated handwritten signature (a.k.a. an electronic signature).
- SSH Keys: A public/private key pair used for authenticating SSH servers and establishing a secure network connection.
4. USE OF CRYPTOGRAPHIC CONTROLS POLICY
- Approved encryption methods for data at rest
- The Data Handling Procedures require that the storage of sensitive data in some locations be encrypted. Refer to the Data Handling Procedures for specific requirements.
- Refer to the Procedures for Encrypting Data for approved encryption methods and key management procedures.
- Encryption methods for data in motion
- The Data Handling Procedures require the transfer of sensitive data through a secure channel. A secure channel is an encrypted network connection.
- Various methods of encryption are available and generally built-in to the application. The user should be aware of the data connection being used to transmit sensitive data and if encryption is enabled for that connection.
- Encryption is required for:
- The transport of sensitive files (secure FTP, SCP, or VPN usage to encrypt sensitive data for network file access of unencrypted files).
- Access to sensitive data via a website, web application, or mobile app. Encryption is required for accessing sensitive data from anything with a web interface, including mobile devices (i.e. use of HTTPS to encrypt sensitive data).
- All network traffic for remote access to the virtual desktop environment.
- Transport of sensitive data that is part of a database query or web service call (examples SQL query to retrieve or send data from database or a Restful web service call to retrieve or send data from a cloud application).
- Privileged access to network or server equipment for system management purposes.
- Encryption of Email
- The Data Handling Procedures require that when emailing some sensitive data the message and attachments be encrypted.
- Refer to the Procedures for Encrypting Data document for instructions on encrypting Email.
- Use of digital signature certificates
- Digital signature certificates are a way to guarantee the authenticity and integrity of an Email message or document.
- Digital signature certificates are not used for encrypting data.
- Digital signature certificates are not the same as an electronic signature or e-signature which may be a digitized image of a handwritten signature or other image used to identify the author of a message.
- E-signatures are not legally binding like a digital signature certificate because they are vulnerable to copying and tampering.
- Users may use a digital signature certificate to digitally sign email messages.
- Users may use a digital signature certificate to digitally sign some types of documents or forms.
- Refer to the Procedures for Using Digital Signatures for instructions on how to acquire and utilize digital signature certificates.
- Use and management of SSH keys
- Refer to the Standards for the Use of SSH Keys document for guidance on when and how to utilize SSH keys.
- Use and management of SSL digital certificates
- WCU web servers (or devices with a web interface) that support secure (HTTPS) connections must have an SSL certificate installed.
- Refer to the SSL Certificate Decision Matrix document for choosing the right type of certificate, the WCU certificate standards, and certificate management procedures.
- Use of encryption
- Classified information shall only be taken for use away from the organization in an encrypted form unless its confidentiality can otherwise be assured. Classified information that is taken away from the organization for use must be held on an encrypted USB pen drive provided by Computing and Media Services.
- Procedures shall be established to ensure that authorized staff may gain access, when needed, to any important business information being held in encrypted form. The unique encryption key will be known only to the user and Computing and Media Services (Held in a secure repository).
- The confidentiality of information being transferred on portable media or across networks must be protected by the use of appropriate encryption techniques. The VPN provides an encrypted tunnel between on-site resources and off-site access points. The VPN should be used in preference to the transfer of data by mobile media.
- Encryption shall be used whenever appropriate on all remote access connections to the organization’s network and resources. The unique encryption key will be known only to the user and Computing and Media Services. (Held in the secure repository).
- Managing electronic keys
- A procedure for the management of electronic keys, to control both the encryption and decryption of sensitive documents or digital signatures, must be established to ensure the adoption of best practice guidelines and compliance with both legal and contractual requirements. Computing and Media Services will manage all electronic keys and provide users with an appropriate encryption service when requested.
- Using and receiving digital signatures
- The important business information being communicated electronically shall be authenticated by the use of digital signatures; information received without a digital signature shall not be relied upon. Computing and Media Services will manage all electronic keys and provide users with an appropriate encryption service when requested.
5. REGULATION OF CRYPTOGRAPHIC CONTROLS
Cryptographic controls should be used in compliance with all relevant agreements, legislation, and regulations. The following items must be considered for compliance:
- Restrictions on import or export of computer hardware or software used to perform cryptographic functions or are designed to have cryptographic functions added to it.
- Restrictions on the use of encryption, especially in foreign countries
- Methods of access to encrypted information used by the countries’ authorities.
Legal advice should be sought to ensure compliance before encrypted information or cryptographic controls are moved across jurisdictional borders.
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.