3.2 Encryption and Key Management Policy

Purpose and Scope

This Encryption and Key Management Policy provides guidance on the types of devices and media that need to be encrypted, when encryption must be used, the minimum standards of the software used for encryption, and the requirements for generating and managing keys at Sord. Mistakes in selecting keys, implementing the encryption/decryption process, and managing keys and other secrets are common causes of data exposure.

From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including applicable laws and regulations.

This policy applies to all Sord assets utilized by personnel acting on behalf of Sord or accessing its applications, infrastructure, systems, or data. All personnel are required to read, accept, and follow all Sord policies and plans.

Cryptographic Key Requirements

Personnel of Sord must use industry-approved strong algorithms for encryption processes for data in transit and at rest.

Strong Standards

Transport Layer Security

Sord recommends the use of TLS 1.3. At a minimum, TLS 1.2 must be used.

Databases at Rest

Sord requires that the encryption of data at rest should only include strong encryption methods inline with the Algorithms defined below.

Algorithms

Sord requires that all encryption algorithms comply with the standards set forth in NIST Security Requirements for Cryptographic Modules (FIPS 140-3) and the NIST CMVP Approved Security Functions (S.P. 800-140C Rev. 2).

Key Management

• Keys must be protected to prevent unauthorized disclosure and subsequent fraudulent use.

• Users handling private keys must physically and logically secure them.

• Do not share keys with anyone else.

• Never re-use keys to encrypt other information.

Generating Keys

• To generate a key, you must use an industry-standard random key generating mechanism. See OWASP Key Management Cheat Sheet.

• Keys should not be based on common words or phrases.

Key Rotation

Encryption keys should be changed (or rotated) based on a number of different criteria:

• If the key is or may be compromised.

• For example, an ex-employee may have had access to a key.

• After a specified period of time has elapsed (known as the cryptoperiod).

• See Section 5.3 of NIST Recommendation for Key Management

• After the key has been used to encrypt a specific amount of data.

• If there is a significant change to the security provided by the algorithm (such as a new attack being announced).

Key Storage

When available, the secure storage mechanisms provided by the operating system, framework or cloud service provider should be used. The key management system must ensure that all encryption keys are secured and there is limited access to Sord personnel.

This may include:

• A physical Hardware Security Module (HSM).

• A virtual HSM.

• Key vaults such as Amazon KMS or Azure Key Vault.

This Encryption guidance is based on the following documents and must be reviewed by every employee or contractor of Sord that handles keys:

• OWASP Key Management Cheat Sheet.

• NIST Recommendation for Key Management (SP 800-57 Part 1 Rev. 5)

• NIST Security Requirements for Cryptographic Modules (FIPS 140-3)

• NIST CMVP Approved Security Functions (S.P. 800-140C Rev. 2)

Exceptions

Sord business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Jonathan Gautsch or a designee is responsible for ensuring compliance across Sord with respect to this policy with the use of a variety of monitoring tools.

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.