Cryptographic controls policy

The policy approach toward cryptographic controls should be protected. If an unwelcome party has knowledge of the techniques and tools employed they have a better chance of breaching security. A policy owner should be identified for implementation and key management.

Depending upon information classification and risk assessment, encryption used should be selected to match on the basis of type, strength and quality. Specialist advice should be sought in this area.

Encryption should be considered for all types of removable media and those which transmit information internally and externally. Encryption policy should take into account the controls used to detect / remove malware.

Cryptographic controls can be used to provide further information providing confidentiality, authenticity, non-repudiation and authentication.

Key Management

Key management policy requires a policy for the generation, storage, archiving, retrieving, distributing, retiring and destroying keys.

Keys should be protect from modification, loss or misuse. Any equipment used should be physically protected as part of a risk assessment.

Activation and deactivation dates for keys should be considered as part of the management function to reduce the risks mentioned above, again subject to a risk assessment.Where public keys are issued from an external supplier, a Service Level Agreement should be in place to cover the responsibilities of the provider. You may need to consider handling legal requests for keys from legal authorities.