The audience for this policy includes the IT people in your company involved in designing, purchasing, and implementing systems. You’ll want to make sure vendors and partners understand and agree to your acceptable encryption requirements when they implement solutions on your network.
This document consists of three parts: the acceptable encryption policy and two supporting standards—one for encryption technology and one for the handling of encryption keys. You may want to create an IT Security Subcommittee that reports to your IT Steering Committee and assign that subcommittee the task of customizing and maintaining this policy.
Read on for excerpts from the actual policy:
Policy
The following rules define _COMPANY’s policy governing acceptable encryption:
- Encryption must be employed when transporting Confidential or Restricted information across public-access channels. All data that has been classified as Confidential or Restricted must be encrypted when third-party transports are involved. Public-access channels include electronic transmission and all data movement involving physical media transport processes.
- Faxing confidential data via Voice Over Internet Protocol (VoIP) may require encryption. Confidential and Restricted information faxed over lines utilizing public-access VoIP may require encryption, depending on technology implemented.
- Encryption must be used on systems storing Restricted information. Users are required to encrypt all Restricted data on systems that are deemed as “high” risk of loss or theft, such as laptops, portable storage devices and personal communication devices.
- Disabling or defeating encryption is prohibited. No one may purposely disable encryption on a Production system without prior approval from the IT Department.
- Tools used to defeat encryption may not be stored on any _COMPANY system. An exception to this rule is made when the tools are being used for testing purposes. Only the IT Department is authorized to do encryption testing.
Encryption Technology Standard
Scope
This standard governs the use of encryption technology at _COMPANY and lists approved cryptographic algorithms that make use of cryptographic keys to provide the following security services: confidentiality, data integrity, authentication and non-repudiation.
Use only encryption technology that is proven and based on industry standards (i.e., Published, peer-reviewed source code). Approved encryption methods include:
- PGP
- SSL
- S/MIME
- X.509
- AES (FIPS 197)
- RSA (FIPS 186-2)
- 3DES (FIPS-46-3)
- Blowfish
- Use encryption that is as integrated and comprehensive as possible. Solutions should cover as wide a variety of applications as possible:
- Email, Attachments, IM
- Folders/Files, Disk Volumes
- FTP, File Transfers
- Telecommuting
- Anti-virus, Spam, Content Filtering
- Select encryption vendors with a proven track record and a long-term roadmap. Select suppliers who can provide multiple, industry-proven solutions, considering all the operating costs associated with a solution: support, training, complexity to manage/use.
- Implement encryption to achieve Security Policy goals. Encryption will be used to support security policy, not drive it. Embracing the tradeoffs between the highest level of security achievable and the product’s ease-of-use must be considered when choosing encryption that supports different policies and all classes of data. Policy dictates that _COMPANY Confidential and Restricted data classifications be protected end-to-end, requiring its use by suppliers.
- Select encryption that is scalable and is appropriately cost effective. An encryption solution must scale to all potential users without becoming a burden to administer. The encryption solution should be transparent to the users and provide gateway protection for securing any external connections.
- Use encryption that can recover data. Be certain to select technology that has a high rate of recovery reliability using Additional Decryption Key (ADK) technology.
