Encryption Policy

Version: 1.00Issue Date: 2/4/2015

This Encryption Policy specifies how data shall be encrypted based on its sensitivity classification. The classification of information or data will affect the level of encryption required for storage and transmission.

1.0 Overview

This Encryption Policy will help ensure that data is protected adequately for its needs. All staff members and anyone having custody of data for the organization should be familiar with this policy especially those who are the business owners of data.

2.0 Purpose

This Encryption Policy is intended to ensure that all information or data is properly encrypted based on its sensitivity classification so it is properly protected against unauthorized exposure, unauthorized or inaccurate changes, or loss. Encryption algorithms that are used to encrypt data must have been proven to be effective and have received significant public scrutiny. Also regulations governing the use of encryption technology must be adhered to.

3.0 Scope

This Encryption Policy applies to all data or information stored in electronic form. It applies to any data or information stored or used by the organization. This Encryption Policy applies to all organizational employees including contractors and part time workers. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Proprietary algorithm - An encryption algorithm that is kept private and is not made public.
  • Asymmetric encryption - Also known as public key/private key encryption, asymmetric encryption uses one key to encrypt the data and another key to decrypt the data.
  • Symmetric encryption - The same key is used to both encrypt the data and to decrypt the data.

5.0 Requirements

  • All communication and storage of data must meet legal requirements regarding privacy, storage, and communication.
  • There shall be no use of proprietary encryption algorithms without review and approval by experts through the Chief Information Security Officer.
  • All sensitive data on mobile computers or mobile memory storage devices must be encrypted except during the time that it is being actively used.
  • Computers that have sensitive data stored on them may not transmit cleartext wireless signals. Wireless connections must be secure and encrypted with a minimum protocol of WAPII according to the Encryption and Wireless Policies.
  • All data that is stored or transmitted with a security sensitivity level of confidential or higher must be encrypted during both storage and transmission whether on a trusted or untrusted network.
  • Digital certificates should not be valid for longer than 5 years.
  • A trusted third party (Certification Authority) must verify certificates and cryptographic keys used for secure transactions before data with confidential or higher security requirements can be exchanged.
  • Digital signatures may be used to be sure a trusted source sent information. The approved protocols used with digital signatures must be set by the Chief Information Security Officer.
  • Time stamps are used with transactions and included in the message content when the content is digitally signed. Time stamps consider times zones as required.
  • Where sensitive data is exchanged for confidential or higher level sensitivity data, the information must meet minimum encryption requirements and should be exchanged over physically secure media where possible.
  • Before a secure channel can be opened to a third party, a certified cryptographic key must be used to establish the channel.
  • All local or national laws and regulations which may limit the export of encryption software must be followed. If a need for additional exportation or import is required, the government's permission must first be obtained.
  • Secure connections to e-commerce partners must be used for security and integrity of transactions.

6.0 Approved Encryption Techniques

Accepted Encryption Protocols and key lengths for symmetric storage of Sensitive data

Data Sensitivity LevelEncryption ProtocolMinimum Key Length
Top SecretAES256
SecretAES256
ConfidentialAES128 (256 when possible)

Accepted Encryption Protocols and key lengths for asymmetric transmission of Sensitive data

Data Sensitivity LevelEncryption ProtocolMinimum Key Length
Top SecretRSA3072
SecretRSA3072
ConfidentialRSA2048

Other encryption key lengths or protocols must be approved by the Chief Information Security Officer.

7.0 Key Management

  • All digital keys must be stored in encrypted form using an approved encryption protocol and technique.
  • Any digital keys that are suspected of being compromised must be revoked as soon as possible and affected parties must be informed.
  • Cryptographic keys must be distributed using a secure mechanism that is not the same as the channels to be opened (offline).
  • Policies must exist to allow for the generation, revocation, distribution, changing, storage, use and destruction of digital keys.
  • Procedures to tell when root key renewal is needed must be created.
  • The creation of root keys must be done with a proper ceremony with witnesses.
  • A statement about how the certification practices is done must be created. This statement describes the certification authority (CA) and registration authority (RA) practices.

8.0 Other Policies

  • Information Sensitivity Policy - Specifies how data is handled, stored, and transmitted through the project lifecycle based on its sensitivity category.
  • Data Classification Policy - Specifies how data is classified for sensitivity.

9.0 Enforcement

Since data encryption is important for protecting data stored or transmitted by the organization to prevent damage, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

10.0 Other Requirements

  • Policies and procedures must be written for the management of keys.
  • An approved list of encryption technologies and minimum key lengshs must be created and published.

Some Protocol Comparisons

  • SHA1 - Produces 160 bit digest, more resource intensive than MDA5
  • DES has been replaced in many applications by Triple DES, which has 112 bits of security with 168-bit keys.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________