Sample Encryption Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Sample Encryption Standard

This Encryption Standard builds on the objectives established in the Asset Protection Standard, and provides specific instructions and requirements for the encryption of sensitive information assets.

Objectives

  1. General Requirements
    1. Encryption shall be used to protect the confidentiality and integrity of sensitive Company information assets in accordance with the Information Handling Standard and the Integrity Protection Standard.
    2. The use of Company-approved encryption shall be governed in accordance with the laws of the country, region, or other regulating entity in which Users perform their work. Encryption shall not be used to violate any laws or regulations.
    3. The Chief Administrative Officer (CAO) must approve all Company encryption processes before they are used.
    4. Encryption keys are considered sensitive Company information and access to them must be restricted on a need to know basis.
    5. Any potential or actual compromise of a User's encryption key must be reported to Lazarus Alliance, LLC. Information Security immediately so that the certificate may be revoked or at least within twenty-four (24) hours of discovery.
  2. Message Digest Algorithms
    1. The following are Company-approved message digest algorithms:
      1. SHA-1 with 128-bit or 160 bit key
      2. SHA-2 with 224- bit or 256-bit or 384-bit or 512 bit-key
  3. Symmetric Key Algorithms
    1. The following are Company-approved symmetric block cipher algorithms:
      1. AES
      2. CAST5 (using a 128-bit key)
      3. Triple-DES
    2. Exceptions:
      1. Authorized for usage in currently deployed production systems as of September 12, 2013. Grandfathered systems and applications will remain until the system is replaced or the encryption algorithm is updated to an approved level and the system or application is removed from exception status.
      2. As of May 2010, 3DES is still authorized by Visa and the other PCI consortium. Key size options are 56, 122, and 168. We should promote 168 bit keys if 3DES is used instead of AES.
    3. Prior to using encryption with any of the Company-approved symmetric encryption algorithms, the encryption key must be provided to Information Security to ensure appropriate Company representatives can retrieve information should the need arise.
    4. Symmetric keys should be generated and handled in accordance with Company password standards established in the Access Control Standard.
  4. Public Key Algorithms
    1. The following are Company-approved public-key algorithms:
      1. [RSA with 1024-bit or stronger bit key]
    2. Public key encryption packages must use Corporate Signing Keys or Additional Decryption Keys to ensure the Company can retrieve the encrypted information should the need arise.
    3. Temporary session keys used by public key cryptosystems such as Virtual Private Networks (VPN) are exempt from escrow.
    4. Users shall not extend trust to non-Company public keys without approval of Lazarus Alliance, LLC. Information Security.
    5. Public keys should be generated and handled in accordance with Company password standards established in the Access Control Standard.
    6. Public key pass-phrases should contain more than one word and a minimum of ten (10) total characters.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.