Encryption Policy

Scope

his policy applies to any network, Information Asset, device - Corporate Group owned or personal, and application that creates, stores, or transmits Corporate Group’s information.

Corporate Group’s information that has been classified as requiring encryption.

Cryptographic Controls

Encryption at Rest

• All electronic devices which receive, store, and/or transmit information that requires encryption (protected information) must use approved encryption methods that comply with applicable laws and regulations

• Servers and workstations are required to be full-disk encrypted.

• Mobile devices (e.g., smartphones and tablets) that contain protected information must be full-disk encrypted or mobile device applications must encrypt all received, stored, and/or transmitted protected information

• Corporate Group’s external storage media (e.g., backup tapes, removable drives, etc.) must be encrypted

Encryption in Motion (in transit)

• Protected information during transmission on an internal network or to an external network must use approved encryption methods that comply with applicable laws and regulations

• Files that contain protected information that is transmitted across the public network (e.g., email attachments sent or file transfers to other entities) must be encrypted or use a Corporate Group’s secure encrypted method to deliver that information

• All transmissions of protected information across public infrastructures must either encrypt the information or encrypt the connection between the sending and the receiving entity

• All transmissions of protected information across public networks must ensure the integrity of protected information and that it is not improperly modified without detection while in transit

Encryption in Use

• Protected information during use may be encrypted using approved homomorphic encryption methods that comply with applicable laws and regulations

Key Management

• Cryptographic algorithms, key lengths, and usage requirements are determined based on best practices

• Secure cryptographic key generation, storage, archiving, retrieval, distribution, liquidation, and destruction processes are in place for key management

• All cryptographic keys are protected from alteration and loss

• Secret and private keys are protected against unauthorized use and disclosure

• The equipment used to generate, store, and archive the keys are physically protected

Certificates

• Certificates deployed on Information Assets must be centrally distributed

• Certificates are obtained by a trusted Certificate Authority

Compliance

• Exceptions to this Policy are approved by the Security Team in advance

• Exceptions are reviewed periodically and removed when a suitable solution is available

Review and Update

This Policy must be maintained in accordance with the Information Security Policy.

Revision History