Ref. No.: CPP-IT-0304_V2_Encryption.doc 

Prepared	W. Cundangan		04/26/2017
Approved	R. Eldridge		05/01/2017

1.1 Determine the requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. 

1.2 Select cryptographic algorithms, key lengths and usage according to best practice 

1.3 Provide guidance on the responsibilities of the use and handling of portable media 

1.4 Describe how encryption will be used and applied to devices 

1.5 Detail the method of reporting breaches of this policy whether intentional or accidental

3.1 Technology 

3.1.1 Proven, standard algorithms such as AES, DES, Blowfish, RSA, RC5 and IDEA, SSL should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. 

3.1.2 The IT Head will approve all encryption technology to be used on company resources and system. Changes on encryption technology in use will be decided based on the latest technology or if such current technology is compromised.

3.2 Key Management and technology usage 

3.2.1 Only the IT department is authorized to manage and or distribute full disk encryption keys. 

3.2.2 Symmetric and Asymmetric cryptosystem key lengths must be at least 128 bits. 

3.2.3 Encryption technology owned/licensed by/to the company should only be used for business purposes. 

3.2.4 No encryption technology other than that approved, managed and distributed by IT department may be used on company resources or systems. 

3.2.5 Access to the keys will be limited to IT personnel only. Any request for access should be authorized by the IT head. 

3.2.6 Importation/exportation of encryption technology by the company must comply with any relevant national law and regulations 

3.2.7 Keys that have expired should no longer be used and replaced accordingly. Such keys should be destroyed if applicable.

3.3 Application and Method/Usage 

3.3.1 Full disk encryption will be rolled out to all Laptops prior to deployment. The keys to decrypt the disk will be handled and recorded by IT 

3.3.2 Laptops without installed encryption technologies should not be used/deployed for business purposes. 

3.3.3 Infinit-O data should not be stored on computers and should only be saved to designated shared folders unless access is required when network connectivity is not available. When necessary, restricted and controlled data should only be stored on encrypted device or encrypted as per IT recommendations. (Please see using 7Zip to encrypt files) 

3.3.4 Other portable USB devices include mobile phones, cameras, PDAs etc. These other devices should not be used to store company data. 

3.3.5 When a portable, company recommended, data storage device is used/required, the instructions for the correct use must be followed to ensure the data is encrypted. 

3.3.6 Any agreement to allow write access of CD/DVD, floppy devices and USB drives of confidential data shall be required to be encrypted as per IT recommendations. (Please see Encrypting files using 7-Zip) 

3.3.7 Passwords used to encrypt data must be in line with the company’s password policy. Any password used to encrypt data should be turned over to their appropriate managers as part of access revocation and turn over so as the file can be accessed and re-encrypted as necessary. 

3.3.8 Windows Computers requiring encryption for the protection of vulnerable and sensitive data will use Windows Bitlocker encryption or its equivalent. 

3.3.9 IOS based device like Macbook and MacAir that requires encryption will use Firevault or its native equivalent. 

3.3.10 Any email attachments containing confidential information will be required to be encrypted using the following procedure at minimum. (Please see Encrypting files using 7-Zip)

3.4 Encrypting files using 7-Zip 

3.4.1 7-Zip is an open-source, free utility that offers AES-256bit encryption. 

3.4.2 Right click on the files or folder you wish to compress and encrypt. (If you are unable to see the 7-Zip option when you right click on the file/folder, please coordinate with your IT helpdesk team) 

3.4.3 Change the Archive format to Zip 

3.4.4 Change the encryption method to AES-256 

3.4.5 Enter your password. (This password needs to be shared to your recipient so that they can decrypt it) 

3.4.6 Then click OK. The rest of the options can be left as default.

3.5 Decrypting files using 7Zip 

3.5.1 Simply right-click on the file, select extract then enter the password when requested. 

3.6 Breach of Policy 

3.6.1 Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to company assets, or an event which is in breach of the company’s security procedures and policies. All company employees, partner agencies, Third Parties and vendors have a responsibility to report security incidents and breaches of this policy immediately through the company’s QISMS reporting system (third parties, partners or vendors may relay the report to their direct contact. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company. 

4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedure