Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys use to secure sensitive data and hence, compromise of the data. While users may understand it’s important to encrypt certain documents and electronic communications, they may not be familiar with minimum standards for protecting encryption keys.
This policy outlines the requirements for protecting encryption keys that are under the control of end users. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key and use of tamper-resistant hardware.
This policy applies to any encryption keys listed below and to the person responsible for any encryption key listed below. The encryption keys covered by this policy are:
- encryption keys issued by Cyberfusion for R1Soft backups
The public keys contained in digital certificates are specifically exempted from this policy.
All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use.
- Secret Key Encryption Keys
Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.
- Hardware Token Storage
Hardware tokens storing encryption keys will be treated as sensitive company equipment when outside company offices. In addition, all hardware tokens, smartcards, USB tokens etc., will not be stored or left connected to any end user’s computer when not in use. For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer if possible.
- Personal Identification Numbers (PINs), Passwords and Passphrases
All PINs, passwords and passphrases used to protect encryption keys must meet acceptable complexity and length requirements.
- Loss and Theft
The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to the Infosec team. Infosec personnel will guide the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.
- Compliance Measurement
The Infosec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Infosec Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.