application , compliances , email , policies , security

Sample – Encryption Policy

September 4, 2019

Introduction

The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States. 

Policy

Proven, standard algorithms such as DES, Blowfish, RSA, RC5, and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hellman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto-system keys must be of a length that yields equivalent strength. Corporate’s key length requirements will be reviewed annually and upgraded as technology allows.

The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Corporate’s Information Security team. Be aware that the export of encryption technologies is restricted by the U.S. Government. Residents of countries other than the United States should make themselves aware of the encryption technology laws of the country in which they reside. 

Scope

This policy applies to all employees of Corporate and its subsidiaries.

Failure to comply with this policy may result in disciplinary action up to and including termination. 

Best Practices

The following best practices are used for encryption:

  • Corporate shall utilize encryption to protect confidential data as determined by the client or appropriate regulatory groups.
  • will use only encryption mechanisms and modules that have met FIPS 140-3 certification, or are in the process of being certified.
  • Corporate shall utilize the strongest encryption algorithm available within each application suite and will utilize a key length in accordance with the FIPS 140-3 certification model.
  • Corporate will restrict access to the encryption keys to the fewest number of individuals as possible.
  • Each operational unit that encrypts data shall have a key management process that addresses the following as a minimum:
    • Generation of strong keys.
    • Secure key distribution.
    • Secure key storage.
    • Periodic changing of keys.
    • As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically.
    • Destruction of old keys.
    • Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key).
    • Prevention of unauthorized substitution of keys.
    • Replacement of known or suspected compromised keys.
    • Revocation of old, compromised, or invalid keys.
    • Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities.

Definitions

Proprietary Encryption An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government.
Symmetric Cryptosystem A method of encryption in which the same key is used for both encryption and decryption of the data.
Asymmetric Cryptosystem A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption).