Cryptographic Controls

Support Home Security ISO27001 Systems Development and Maintenance

Cryptographic Controls

Policy on the Use of Cryptographic Controls

The purpose of this policy is for CX Index to assess the appropriateness of cryptography in CX Index and if deemed appropriate implement policies standards and controls for its use.

Only CX Index-approved uses of cryptography (encryption of any form) are allowed.  This includes the methods of use (disk encryption, digital signatures, etc.) as well as algorithms or key strengths to be used.   The Senior Management must authorise encryption products before being used.

Information to consider in the use of any encryption product includes:

  • General principles under which business information should be protected
  • The determination of the appropriate levels of cryptographic controls to be used
  • Selection of appropriate methodology (private keys or public keys)
  • Key management
  • Recovery of information when keys are lost, compromised or damaged
  • Roles and responsibilities for implementation
  • Roles and responsibilities for key management
  • Specific policies for use
  • Implementation of policies for use

The Senior Management will publish a list of approved encryption products, their approved uses, and standards for their configuration and use.  These standards will take into account the considerations listed above.

Encryption

CX Index considers the use of encryption appropriate for protecting the information resources of the company in approved circumstances.  The purpose of this policy is to regulate the use of encryption for the protection of sensitive or confidential data resources while ensuring that its use is proper and effective.

A risk assessment will be done for any highly sensitive information, and will include:

  • The need for encryption;
  • The implementation of encryption;
  • Policies for encryption;
  • The appropriate level of sophistication of the encryption algorithms chosen;
  • The appropriate lengths of keys to be used;

The Senior Management shall seek legal advice for issues that relate to the proper and legal use of encryption.  This advice will consider national regulations concerning the trans-border flow of encrypted information, and export and import of encryption technology.

CX Index shall seek the advice of specialists to select the correct products, design and implement the correct algorithms and key management programs, as appropriate.

Digital Signatures

CX Index will consider the appropriateness of the use of digital signatures to protect and authenticate the integrity of electronic documents.  The Senior Management shall assess the need for various cryptographic tools related to digital signatures.

The Senior Management will accomplish a risk assessment to assess the need for guaranteed message authentication and integrity.  The risk assessment will cover:

  • The use and cooperation of use among CX Index’s trading partners
  • Necessary contracts and agreements between trading partners
  • Documents appropriate for digital signature cryptography
  • Key security 
  • Key Management 
  • Use of different keys than those that are used with encryption 
  • Relevant legislation on the use of and legal standing of digital signatures

The Senior Management will publish standards and guidelines concerning the use of digital signatures where they are deemed necessary or desired.

Non-repudiation Services

In support of digital signatures, CX Index will consider non-repudiation services where necessary.   The purpose of this policy is to anticipate and have a mechanism in place for the resolution of disputes regarding the substantiation of a receipt of a digitally signed document, prior to the dispute.

If necessary, the Senior Management will publish standards and guidelines concerning support services for non-repudiation of digital signatures.  These standards and guidelines should include:

  • Establishing identification and ownership of digital certificates and private keys
  • Generation of truly private keys (i.e., no one but the owner has ever had access to the private key)
  • Safeguarding private keys (i.e., tamper-proof storage, physical security, etc.)

Key Management

The weakest component of any cryptographic solution is the protection of the encryption keys.  To ensure the protection of cryptographic keys, both public and private keys, CX Index will enact policies and procedures concerning key management.  Key management policies and procedures will protect all keys from modification, destruction and unauthorised disclosure that could lead to a compromise in the authenticity, integrity and confidentiality of information.

Protecting Encryption Keys and Systems

A management plan and system shall be in place for the use of public and private keys that ensures the confidentiality and integrity of the private keys.

Keys shall be changed immediately if it is suspected that the keys were compromised.  This may entail re-encrypting stored data with new secret or public keys.

All application systems that are using cryptography shall have different keys, and the application owner shall be responsible for generating and managing the keys in accordance with this policy and any applicable standards and guidelines published by the Senior Management.

A list of systems that require keys shall be kept and evaluated periodically to ensure the accuracy and relevancy of the list.

Keys will be distributed and stored in a secure manner.  Old versions of keys (i.e., keys that have been revoked) will be maintained in a secure manner to cover eventualities where data may have been encrypted with these keys before their revocation and have not been switched to new keys.

Key Management Standards

The Senior Management shall establish standards, procedures and methods for key management.   These standards will include the following:

  • Secure procedures for key obtaining and storing keys
  • Establishing and documenting the rules for changing and updating keys.
  • Procedures for dealing with compromised keys or keys that have been revoked or deactivated.
  • Secure procedures for destroying keys, including how and by what method.
  • Secure procedures for key management business continuity including:
    • Recovering lost or corrupted keys
    • Supplier provisions for system loss
    • Archiving keys for achieved or backed-up information after keys have been changed
  • Secure procedures for legal issues including:
    • Requests for access to cryptographic keys (in the case of unencrypted information requirements in court proceedings)
    • Legal agreements with suppliers of cryptographic services (including liability, reliability and response times)
    • Legal agreements with trading partners
  • Secure procedures for establishing and defining the relationship between CX Index and a trusted third party certification authority for the protection of public keys, if used.


Was this article helpful?

Related Questions: