IT Security Policy - Cryptography
Introduction
The purpose of this policy is to ensure the correct use of cryptography to protect the confidentiality, authenticity, and integrity of the organisation’s information.
Scope
This Cryptography Policy applies to all business processes and data, information systems and components, personnel, and physical areas of Oxford Economics.
Cryptographic Controls
Oxford Economics will develop a policy surrounding the proper procedures for using cryptographic controls. The following items should be considered:
- Based on a risk assessment, the required level of protection should be identified considering the type, strength, and quality of the encryption algorithm required.
- The use of encryption for the protection of information transported by mobile or removable media devices or across communication lines.
- The standards to be adopted for effective implementation throughout the organisation.
- The impact of using encrypted information on controls that rely upon content inspection.
Key Management
- Cryptographic keys should be protected throughout their whole lifecycle.
- Cryptographic algorithms, key lengths, and usage practices should be selected according to best practices.
- All cryptographic keys should be protected against modification and loss. In addition, secret and private keys need protection against unauthorised use as well as disclosure.
- Equipment used to generate, store, and archive keys should be physically protected.
- A key management system should be based on an agreed set of standards, procedures, and secure methods for:
- Generating keys for different cryptographic systems and different applications.
- Issuing and obtaining public key certificates.
- Distributing keys to intended entities, including how keys should be activated when received.
- Storing keys, including how authorised users obtain access to keys.
- Changing or updating keys, including rules on when keys should be changed and how this will be done.
- Dealing with compromised keys.
- Revoking keys, including how keys should be withdrawn or deactivated.
- Recovering keys that are lost or corrupted.
- Backing up or archiving keys.
- Destroying keys.
- Logging and auditing of key management related activities.