Encryption Considerations
March 29, 2011At a minimum, it should include management acceptance of the solution and approval to proceed to a production state (e.g., management accreditation).
o Complete informal or formal management accreditation of the encryption solution (i.e., acceptance of the solution) and obtain approval to operate
o If appropriate, perform data re-alignment activities that were not possible prior to implementation
o Turn on the actual encryption capabilities (e.g., activate background encryption on existing data)
o If appropriate, complete final data re-alignment activities that were not possible prior to activation of encryption
Encryption
Review the information security risk assessment and identify those items and areas classified as requiring encryption.
Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms.
Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
Identify management’s understanding of cryptography and expectations of how it will be used to protect data.
o Determine whether cryptographic key controls are adequate.
o Identify where cryptographic keys are stored.
o Review security where keys are stored and when they are used (e.g., in a hardware module).
o Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.
o Verify that two persons are required for a cryptographic key to be used, when appropriate.
Review audit and security reports that review the adequacy of cryptographic key controls.
o Determine whether adequate provision is made for different cryptographic keys for different uses and data.
o Determine whether cryptographic keys expire and are replaced at appropriate time intervals.
o Determine whether appropriate provisions are made for the recovery of data should a key be unusable.
o Determine whether cryptographic keys are destroyed in a secure manner when they are no longer required.
www.bestitdocuments.com