Policy
Policy Name
Encryption Policy

Overview
Encryption solutions must be used to protect sensitive information (e.g., confidential, secret) with approved cryptographic algorithms. Objective of encryption is to ensure the confidentiality, integrity and proof of origin of sensitive information.

Statement
The following cryptographic algorithms and requirements are approved for use:
  • Symmetric Encryption Algorithms:
    • Advanced Encryption Standard (AES): Key Length of 256 (max key life of 7 years)
    • Triple Data Encryption Standard (TDES): Key lengths of 64 (each key) and max key life of 3 years
    • Twofish: Key Length of 128, 192, and 256 (and max key life of 2, 3 and 5 respectively)
  • Asymmetric Encryption Algorithms:
    • Rivest, Shamir, Adleman (RSA): Key Length of 2048 (max key life of 4)
    • Elliptic Curve Cryptography (ECC): Key Length of 256, 384 and 512 (and max key life of 3, 5 and 7 respectively)
  • Secure Hash Algorithm (SHA-2):
    • Digest length: 224, 256, 384 or 512 bit
    • Lifetime: 3 years
  • Session-Level Encryption must utlilize: Transport Layer (TLS) 1.1 or Secure Socket Layer (SSL) version 3.
  • Senstive data at rest (e.g. stored in files, databases and applications) or in transit (e.g. transported across the network, internet or via removable media) must be encrypted with approved cryptographic algorithms.

Justification
The following benefits will be achieved:
  • ensure the confidentiality, integrity and proof of origin of sensitive information
  • minimum accepted encryption algorithms are known.

Scope
All employees, contractors, agents and third-parties

Consequeces for Noncompliance
Noncompliance to this policy can result in disciplinary action up and including termination of employment or contract.

Topics
Encryption