CRYPTO-
GRAPHY
POLICY
1
© Distributed by [Link] under a Creative Commons Share Alike License.
�Cryptography Policy
Version Control
Owner Version Edited By Date Change History
IS Rep 0.1 Assent 19/01/2016 First Draft
Distribution
Held Format Location Comments
By
User Digital / Physical
Status
X Status Approved By Date
X Working DD/MM/YYYY
Draft
Provisional Approval
Publication
Classification
X Confidential
Restricted
Unclassified
Relevance to Standard
Standard Clause Title
[ISO 27001:2013] [A10.1] [Cryptographic Controls]
License
Licensed by Assent Risk Management via [Link] Under a Creative Commons Share Alike License.
2
© Distributed by [Link] under a Creative Commons Share Alike License.
�Contents
Cryptography Policy________________________________________________________________________________2
Contents_______________________________________________________________________________________________3
Cryptography Policy________________________________________________________________________________4
1.0 Overview______________________________________________________________________________________4
2.0 Policy___________________________________________________________________________________________5
2.1 Encryption of Devices or Data (at rest)______________________________________________________________5
2.2 Key Management______________________________________________________________________________________6
2.3 Securing Communication Channels (data in transit)_______________________________________________6
3.0 Related Policies_______________________________________________________________________________6
3
© Distributed by [Link] under a Creative Commons Share Alike License.
�Cryptography Policy
1.0 Overview
Encryption technologies provide a level of protection for the storage, transmission,
retrieval, and access to confidential or sensitive data. Encryption works by converting
data to make it inaccessible and unreadable to unauthorised individuals. The only
way to read the encrypted data is by using a decryption key.
The Data Protection Act requires us to have appropriate policies and procedures in
place to ensure the safe keeping, use, retrieval, and access to data covered by the
Act. We have a responsibility to ensure the integrity, security, and protection of all
data, which it holds.
The purpose of this encryption policy is to:
Detail the specification and deployment of data encryption software for the
protection of electronic information.
Describe how encryption will be used and applied to devices.
Provide guidance on the responsibilities of the use of encrypted devices
This policy covers all electronic data and details the types of devices which are
acceptable for the storage / transmission of data, and how these devices utilise
encryption software if used - irrespective of whether or not the data held on them is
considered sensitive or confidential.
This policy covers encryption for the following devices and applications:
Desktop, laptop, tablet computers
Handheld devices such as mobile phones and PDAs
Portable storage devices e.g., USB memory sticks, external drives
Backup Systems and storage
SSL certificates for Web applications where data is in transit
2.0 Policy
2.1 Encryption of Devices or Data (at rest)
4
© Distributed by [Link] under a Creative Commons Share Alike License.
� Laptops and other portable devices will be encrypted where the IT
Department deem there to be a justifiable reason to do so.
Data should not be stored on computers or portable media devices
unless access is required when network connectivity is not available.
When it is necessary data should only be stored on authorised devices,
and confidential or customer data should never be stored on mobile
devices in line with our Information Classification and Handling policy.
Mobile devices using the Apple IOS or Android operating systems (e.g.,
phones, iPads, tablets) can be encrypted using the built-in 4-digit pin
protection security provided as part of the platform.
This 4-digit pin must be provided to the IT Manager if the equipment is
returned at the end of employment or if the equipment is to be re- used.
If encryption software is required to be used for a device, then the
following minimum standard should be followed:
uses the AES 128-bit (Advanced Encryption Standard) which is a
symmetric- key encryption with a 128-bit key.
Passwords used must comply with the company password policy.
Pre-shared keys or encryption passwords must be provided to the
IT manager or the user’s line manager (for device recovery or
access if required), but must not be disclosed to anyone else.
The IT department will advise on the best method to encrypt individual
files if this is required for moving confidential or customer data outside
of secure networks (e.g., on removable media).
Where files are password protected (for example, excel spreadsheets,
word documents), the password set must comply with the password
policy and the password must be approved by the user’s line manager
(for file recovery purposes).
2.2 Key Management
The IT Department should be made aware of all encryption keys used
within the business to ensure that data can be accessed should it be
required.
5
© Distributed by [Link] under a Creative Commons Share Alike License.
� 2.3 Securing Communication Channels (data in transit)
All communications channels used for remote access, web apps or
messaging must be encrypted to protect the data in transit.
VPNs
Access to the organization’s network should be via an encrypted VPN
connection only.
Remote Desktop
Connections using the built-in remote desktop protocol (RDP) are encrypted
by default. Passwords should not be saved or remembered on the client side.
Email
Communication between an email client and the mail server is encrypted with
a minimum of TLS by default.
Web Traffic
HTTPS connections (SSL) to manage internal devices or systems through
management interfaces using self-cert or device-provided certificates.
New connections must be suitably secured using appropriate encryption
technology or protocols. If encryption of a communication channel requires a
pre-shared key or other detail, then this should be communicated to the IT
manager for secure storage in case the channel needs to be re-created.
3.0 Related Policies
Password Policy
Information Classification
6
© Distributed by [Link] under a Creative Commons Share Alike License.
