Sample Encryption Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 14:23, 24 July 2006 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Sample Encryption Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of <Your Company Name> information assets.

This Encryption Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for the encryption of sensitive information assets.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Additional Decryption Key refers to a public key that can be used, under certain circumstances, to decrypt messages sent or received by Users.

Confidentiality refers to protecting confidential information from disclosure. Information shall be disclosed only to those authorized to access it.

Corporate Signing Key refers to a public key that is designated as the system-wide key that is trusted by all Users to sign other keys.

Encryption refers to a method of scrambling information to render it unreadable to anyone except the intended recipient, who must decrypt it to read it.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Integrity refers to the protection of information and systems from malicious, unauthorized, or accidental changes.

Message Digest Algorithm refers to a "thumbprint" that is mathematically derived from a message to ensure integrity.

Public Key Algorithm refers to a mathematical function or process that generates two mathematically related keys such that the information encrypted with one key can be decrypted only with the other key.

Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

Session Key refers to the symmetric key used to encrypt each set of data on a per transaction basis. A different key is used for each communication session.

Symmetric Block Cipher Algorithm refer to method of text encryption to produce encrypted or cipher text in which a cryptographic key and algorithm are applied to a block of data at once as a group rather than to one bit at a time.

Symmetric Key Algorithm refers to a mathematical function or process where encryption and decryption keys are either the same or can be calculated from one another.

II. Requirements


A. General Requirements

1. Encryption shall be used to protect the confidentiality and integrity of sensitive Company information assets in accordance with the Sample Information Handling Standard and the Sample Integrity Protection Standard.


2. The use of Company-approved encryption shall be governed in accordance with the laws of the country, region, or other regulating entity in which Users perform their work. Encryption shall not be used to violate any laws or regulations.


3. <SPECIFY ROLE OR DEPARTMENT> must approve all Company encryption processes before they are used.


4. Encryption keys are considered sensitive Company information and access to them must be restricted on a need to know basis.


5. Any potential or actual compromise of an User's encryption key must be reported to <SPECIFY TITLE OR DEPARTMENT> within <SPECIFY TIMEFRAME>.


B. Message Digest Algorithms

1. The following are Company-approved message digest algorithms:


  • SHA-1 with 128-bit or 160 bit key
  • MD5


2. MD5 shall be used for file hashing only.


3. MD5 shall not be used in signatures or certificates.


C. Smmetric Key Algorithms

1. The following are Company-approved symmetric block cipher algorithms:


  • Triple-DES
  • Blow Fish


2. Prior to using encryption with any of the Company-approved symmetric encryption algorithms, the encryption key must be provided to <SPECIFY THE CENTRAL COMPANY KEY ESCROW NAME> to ensure appropriate Company representatives can retrieve information should the need arise.


3. Symmetric keys should be generated and handled in accordance with Company password standards established in the Sample Access Control Standard.


D. Public Key Algorithms

1. The following are Company-approved public-key algorithms:


  • RSA with <SPECIFY #>-bit to <SPECIFY #>-bit key
  • Diffie-Hellman with <SPECIFY #>-bit to <SPECIFY #>-bit key


2. Public key encryption packages must use Corporate Signing Keys or Additional Decryption Keys to ensure the Company can retrieve the encrypted information should the need arise.


3. Temporary session keys used by public key cryptosystems such as Virtual Private Networks (VPN) are exempt from escrow.


4. Users shall not extend trust to non-Company public keys without approval of <SPECIFY>.


5. Public keys should be generated and handled in accordance with Company password standards established in the Sample Access Control Standard.


6. Public key pass-phrases should contain more than one word and a minimum of <SPECIFY #> total characters.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Encryption Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Encryption Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Encryption Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Encryption Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Encryption Standard and associated guidelines, and determining the business impact if the integrity of an information asset is compromised.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information, and coordinating with administrators to ensure proper encryption controls are used.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Encryption Standard and associated guidelines; properly using Company-approved encryption to safeguard sensitive company information; and reporting loss or compromise of any encryption keys within <SPECIFY TIMEFRAME> to <SPECIFY ROLE OR DEPARTMENT> and immediate supervisor.

IV. Enforcement and Exception Handling


Failure to comply with the Encryption Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Encryption Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Encryption Standard.

V. Review and Revision


The Encryption Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer