Cryptographic Policy

Objective

The purpose of this policy is to define the way in which FundApps manages cryptographic controls to protect the confidentiality, authenticity and/or the integrity of information.

Scope

The policy applies to all FundApps Information Systems.

Policy

FundApps will implement cryptographic controls to protect information as defined in the Data Classification and Protection Standard.

Information which require encryption

The following tables summarises when cryptography must be used:

Encryption ciphers and key lengths

The minimum length of a symmetric key to encrypt restricted client data at rest is 256 bits.

Cryptographic Key Management

Cryptographic keys must be generated, transmitted, stored and managed in a secure manner that prevents loss, unauthorised access, or compromise.

Access: Access to cryptographic keys must be restricted to authorised staff only.

Distribution: Private and symmetric keys must be distributed securely such as through the use secure email or out of band techniques like phone conversations with known individuals. Physical transportation of private and symmetric keys will require that they will be encrypted

Physical security: Equipment used to generate, store and archive keys must be physically protected using appropriate, secure access controls.

Key rotation: Cryptographic keys must be rotated at a minimum every 3 years.

Compromised keys: In the event of a cryptographic key being compromised, a new key (or key pair) must be generated and the existing key must be revoked.

Backup: Backup of cryptographic keys must be maintained to recover them should they be lost.

Logging and auditing: All accesses to cryptographic keys as well as modifications to these keys must be logged. Logs must be audited for anomalous activity.

Roles and responsibilities

The Information Security Lead is responsible for ensuring the policy is aligned to FundApps' business objectives.