Encryption and Cryptographic Control Policy

Encryption and Cryptographic Control Policy

Ref. No.: CPP-IT-0304_V2_Encryption.doc 
W. Cundangan
R. Eldridge

1.0 Objective  
1.1 Determine the requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. 
1.2 Select cryptographic algorithms, key lengths and usage according to best practice 
1.3 Provide guidance on the responsibilities of the use and handling of portable media 
1.4 Describe how encryption will be used and applied to devices 
1.5 Detail the method of reporting breaches of this policy whether intentional or accidental
2.0 Scope
This policy applies to all Infinit-O employees and affiliates. 

3.0 Provisions
3.1 Technology 
3.1.1 Proven, standard algorithms such as AES, DES, Blowfish, RSA, RC5 and IDEA, SSL should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. 
3.1.2 The IT Head will approve all encryption technology to be used on company resources and system. Changes on encryption technology in use will be decided based on the latest technology or if such current technology is compromised.
3.2 Key Management and technology usage 
3.2.1 Only the IT department is authorized to manage and or distribute full disk encryption keys. 
3.2.2 Symmetric and Asymmetric cryptosystem key lengths must be at least 128 bits. 
3.2.3 Encryption technology owned/licensed by/to the company should only be used for business purposes. 
3.2.4 No encryption technology other than that approved, managed and distributed by IT department may be used on company resources or systems. 
3.2.5 Access to the keys will be limited to IT personnel only. Any request for access should be authorized by the IT head. 
3.2.6 Importation/exportation of encryption technology by the company must comply with any relevant national law and regulations 
3.2.7 Keys that have expired should no longer be used and replaced accordingly. Such keys should be destroyed if applicable.
3.3 Application and Method/Usage 
3.3.1 Full disk encryption will be rolled out to all Laptops prior to deployment. The keys to decrypt the disk will be handled and recorded by IT 
3.3.2 Laptops without installed encryption technologies should not be used/deployed for business purposes. 
3.3.3 Infinit-O data should not be stored on computers and should only be saved to designated shared folders unless access is required when network connectivity is not available. When necessary, restricted and controlled data should only be stored on encrypted device or encrypted as per IT recommendations. (Please see using 7Zip to encrypt files) 
3.3.4 Other portable USB devices include mobile phones, cameras, PDAs etc. These other devices should not be used to store company data. 
3.3.5 When a portable, company recommended, data storage device is used/required, the instructions for the correct use must be followed to ensure the data is encrypted. 
3.3.6 Any agreement to allow write access of CD/DVD, floppy devices and USB drives of confidential data shall be required to be encrypted as per IT recommendations. (Please see Encrypting files using 7-Zip) 
3.3.7 Passwords used to encrypt data must be in line with the company’s password policy. Any password used to encrypt data should be turned over to their appropriate managers as part of access revocation and turn over so as the file can be accessed and re-encrypted as necessary. 
3.3.8 Windows Computers requiring encryption for the protection of vulnerable and sensitive data will use Windows Bitlocker encryption or its equivalent. 
3.3.9 IOS based device like Macbook and MacAir that requires encryption will use Firevault or its native equivalent. 
3.3.10 Any email attachments containing confidential information will be required to be encrypted using the following procedure at minimum. (Please see Encrypting files using 7-Zip)
3.4 Encrypting files using 7-Zip 
3.4.1 7-Zip is an open-source, free utility that offers AES-256bit encryption. 
3.4.2 Right click on the files or folder you wish to compress and encrypt. (If you are unable to see the 7-Zip option when you right click on the file/folder, please coordinate with your IT helpdesk team) 
3.4.3 Change the Archive format to Zip 
3.4.4 Change the encryption method to AES-256 
3.4.5 Enter your password. (This password needs to be shared to your recipient so that they can decrypt it) 
3.4.6 Then click OK. The rest of the options can be left as default.
3.5 Decrypting files using 7Zip 
3.5.1 Simply right-click on the file, select extract then enter the password when requested. 
3.6 Breach of Policy 
3.6.1 Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company. 
4.0 Responsibility
4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedure 

5.0 References

    • Related Articles

    • Network Control and Security

      Ref. No.: CPP-IT-0302_V2_Network Security.doc  Prepared W. Cundangan 04/27/2017 Approved R. Eldridge 05/01/2017 1.0 Objective 1.1 This policy is aimed to ensure the protection of information in networks and relevant supporting network services.  2.0 ...
    • Internet Usage Policy

      This document defines the standards, awareness and techniques required of all Infinit-O Manila,Inc. (referred to as “INFINIT-O”) and associated company staff (permanent, casual and contractors) using the Infinit-O Manila, Inc. Internet connections.  ...
    • Teleworking and Mobile Device Policy

      Ref. No.: CPP-IT-0203_V1_Teleworking and Mobile Device Policy.doc  Prepared W. Cundangan 09/21/2015 Approved R. Tan 09/22/2015 1.0 Objective   The purpose of these policy is to ensure that security of information and systems, accessed through ...
    • Network Services Acceptable Usage Policy

      Ref. No.: CPP-IT-0201_V2_Network Services Acceptable Usage Policy.doc  Prepared W. Cundangan 04/26/2017 Approved R. Eldridge 05/01/2017 1.0 Objective   1.1 The purpose of this policy is to outline and establish guidelines the acceptable use of ...
    • Mental Health Policy

      CPP-HR_0213_Mental Health Policy Prepared  M. Martinez 03/15/2021 Approved  F. Lenoir 06/11/2021 1.0 Objective       ● To raise awareness and reduce stigma toward mental illness and recognize its impact in our society.       ● To mitigate mental ...