LogoLogo
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2021-10
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan 2021
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Policy Change Log
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Objective
  • Scope
  • Policy
  • Information which require encryption
  • Encryption ciphers and key lengths
  • Cryptographic Key Management
  • Roles and responsibilities

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Policies

Cryptographic Policy

Objective

The purpose of this policy is to define the way in which FundApps manages cryptographic controls to protect the confidentiality, authenticity and/or the integrity of information.

Scope

The policy applies to all FundApps Information Systems.

Policy

FundApps will implement cryptographic controls to protect information as defined in the Data Classification and Protection Standard.

Information which require encryption

The following tables summarises when cryptography must be used:

Public

Open

Restricted

Confidential

Encryption in transit

-

Mandatory

Mandatory

Mandatory

Encryption at rest

-

-

-

Mandatory

Encryption at rest on removable media

-

-

Mandatory

Mandatory

Encryption ciphers and key lengths

Encryption ciphers and key lengths used to protect information must comply with requirements set out in NIST Special Publication 800-131A Revision 2.

The minimum length of a symmetric key to encrypt restricted client data at rest is 256 bits.

Cryptographic Key Management

Cryptographic keys must be generated, transmitted, stored and managed in a secure manner that prevents loss, unauthorised access, or compromise.

Access: Access to cryptographic keys must be restricted to authorised staff only.

Distribution: Private and symmetric keys must be distributed securely such as through the use secure email or out of band techniques like phone conversations with known individuals. Physical transportation of private and symmetric keys will require that they will be encrypted

Physical security: Equipment used to generate, store and archive keys must be physically protected using appropriate, secure access controls.

Key rotation: Cryptographic keys must be rotated at a minimum every 3 years.

Compromised keys: In the event of a cryptographic key being compromised, a new key (or key pair) must be generated and the existing key must be revoked.

Backup: Backup of cryptographic keys must be maintained to recover them should they be lost.

Logging and auditing: All accesses to cryptographic keys as well as modifications to these keys must be logged. Logs must be audited for anomalous activity.

Roles and responsibilities

The system owner, as defined in FundApps' Information System Inventory [restricted to FundApps staff], is responsible for ensuring information to protected by cryptographic controls as set out in this policy.

The Information Security Lead is responsible for ensuring the policy is aligned to FundApps' business objectives.

PreviousPatch Management PolicyNextInformation Security in Project Management

Last updated 3 years ago

Was this helpful?