Cryptography Policy - US MSP Network

1. Purpose

The purpose of this Cryptography Policy is to establish requirements for the selection, implementation, use, and management of cryptographic controls within the organization.

Cryptography is used to protect the confidentiality, integrity, authenticity, and availability of information assets. Proper use of cryptographic controls helps safeguard sensitive information, prevent unauthorized access, support secure communications, and meet legal, regulatory, contractual, and business requirements.

This policy provides a framework for the secure use of encryption, hashing, digital signatures, certificates, key management, and other cryptographic technologies throughout the organization.

2. Scope

This policy applies to:

All employees
Contractors
Consultants
Temporary personnel
Third-party service providers with access to organizational information systems

This policy applies to all organizational information assets, systems, applications, devices, networks, cloud environments, and services that use cryptographic technologies.

The policy covers:

Data encryption
Data decryption
Secure communications
Public Key Infrastructure (PKI)
Digital certificates
Digital signatures
Authentication mechanisms
Hashing technologies
Cryptographic key management
Cloud-based cryptographic services
Third-party cryptographic solutions

3. Policy Statement

The organization shall implement approved cryptographic controls to protect sensitive information and support secure business operations.

Cryptographic technologies shall be selected, implemented, managed, and maintained according to industry standards, regulatory requirements, vendor recommendations, and organizational security requirements.

Only approved cryptographic algorithms, protocols, and implementations shall be used to protect organizational information.

4. Objectives

The objectives of this policy are to:

Protect sensitive and regulated information.
Ensure secure transmission and storage of data.
Support authentication and non-repudiation.
Maintain information integrity.
Reduce the risk of unauthorized disclosure.
Establish standardized cryptographic practices.
Support compliance obligations.
Define roles and responsibilities for cryptographic controls.

5. Definitions

Cryptography

The science of protecting information through mathematical techniques that transform data into a secure format.

Encryption

The process of converting readable information into an unreadable format that can only be accessed by authorized parties.

Decryption

The process of converting encrypted information back into its original readable form.

Symmetric Encryption

Encryption that uses the same key for both encryption and decryption.

Asymmetric Encryption

Encryption that uses a public key and a private key.

Hash Function

A mathematical function that converts data into a fixed-length value used to verify integrity.

Digital Signature

A cryptographic mechanism used to verify authenticity and integrity.

Public Key Infrastructure (PKI)

A framework used to manage digital certificates and public key encryption.

Certificate Authority (CA)

An entity that issues and manages digital certificates.

6. Cryptographic Principles

Cryptographic controls shall be implemented based on the following principles:

Confidentiality
Integrity
Authenticity
Non-repudiation
Least privilege
Defense in depth
Secure lifecycle management
Risk-based implementation

Cryptographic controls shall be proportionate to the sensitivity and classification of the information being protected.

7. Approved Cryptographic Standards

The organization shall use cryptographic algorithms and protocols that are widely accepted and considered secure by industry standards.

Symmetric Encryption

Approved algorithms include:

AES-128
AES-192
AES-256

Preferred standard:

AES-256

Asymmetric Encryption

Approved algorithms include:

RSA 2048-bit minimum
RSA 3072-bit preferred
Elliptic Curve Cryptography (ECC)

Hashing Algorithms

Approved algorithms include:

SHA-256
SHA-384
SHA-512

Message Authentication

Approved algorithms include:

HMAC-SHA256
HMAC-SHA384
HMAC-SHA512

Secure Transport Protocols

Approved protocols include:

TLS 1.2
TLS 1.3

Preferred:

TLS 1.3

8. Prohibited Cryptographic Technologies

The following cryptographic technologies shall not be used unless specifically approved through a documented exception process:

MD5
SHA-1
SSL
TLS 1.0
TLS 1.1
DES
Triple DES (3DES)
RC4
Weak proprietary encryption methods

Legacy cryptographic technologies must be replaced whenever feasible.

9. Data Encryption Requirements

Cryptographic controls shall be applied according to data classification and business requirements.

Data at Rest

Sensitive information stored on:

Servers
Databases
Laptops
Workstations
Mobile devices
Cloud storage platforms
Backup systems

Must be encrypted using approved encryption methods.

Data in Transit

Sensitive information transmitted across internal or external networks shall be protected using approved encryption protocols.

Examples include:

HTTPS
TLS-secured applications
VPN connections
Secure email solutions

Data in Use

Where feasible, applications and systems shall implement controls to minimize exposure of sensitive information during processing.

10. Public Key Infrastructure

The organization shall maintain secure management of digital certificates and public key infrastructure components.

PKI processes shall include:

Certificate issuance
Certificate renewal
Certificate revocation
Certificate expiration monitoring
Secure certificate storage

Only trusted Certificate Authorities shall be used.

11. Digital Certificates

Digital certificates shall be:

Properly issued
Properly validated
Monitored for expiration
Revoked when compromised
Renewed before expiration

Certificate inventories shall be maintained.

12. Digital Signatures

Digital signatures shall be used where required to:

Verify authenticity
Verify integrity
Support non-repudiation
Protect electronic transactions

Digital signature implementations shall use approved cryptographic standards.

13. Key Management

Cryptographic keys shall be managed according to the organization’s Key Management Policy.

Key management requirements include:

Secure generation
Secure storage
Controlled access
Key rotation
Backup and recovery
Revocation
Secure destruction

Keys shall be treated as highly sensitive information assets.

14. Cloud Cryptography

Cloud-hosted systems storing organizational data shall use:

Encryption at rest
Encryption in transit
Secure key management
Provider-supported cryptographic controls

Cloud cryptographic implementations shall be reviewed during vendor assessments.

15. Application Cryptography

Developers shall use approved cryptographic libraries and frameworks.

Custom cryptographic implementations are prohibited unless formally approved and reviewed by qualified security personnel.

Applications shall:

Protect secrets appropriately
Avoid hard-coded keys
Follow secure coding practices
Use approved encryption algorithms

16. Authentication and Cryptography

Cryptographic controls shall support secure authentication mechanisms.

Examples include:

Multi-factor authentication
Digital certificates
Secure authentication tokens
Federated identity systems

Authentication credentials shall never be stored or transmitted in plain text.

17. Cryptographic Hardware

Where appropriate, cryptographic operations shall utilize:

Hardware Security Modules (HSMs)
Trusted Platform Modules (TPMs)
Secure cryptographic processors
Cloud key management services

Hardware-based protection shall be used for highly sensitive cryptographic assets whenever practical.

18. Third-Party Cryptographic Controls

Third-party service providers handling organizational information shall implement cryptographic controls consistent with organizational requirements.

Third parties must:

Protect cryptographic keys
Use approved encryption methods
Report cryptographic incidents
Support compliance requirements

Cryptographic capabilities shall be evaluated during vendor assessments.

19. Logging and Monitoring

Cryptographic systems shall generate audit records for:

Key creation
Key access
Key rotation
Certificate issuance
Certificate revocation
Administrative changes
Security events

Logs shall be protected against unauthorized modification and reviewed periodically.

20. Incident Response

Any suspected compromise involving cryptographic systems, keys, certificates, or encrypted information shall be reported immediately.

Incident response activities may include:

Key revocation
Certificate revocation
Re-encryption of affected systems
Forensic investigation
Root cause analysis
Remediation activities

Cryptographic incidents shall be handled according to the Incident Response Policy.

21. Compliance and Auditing

Compliance with this policy shall be verified through:

Internal audits
Security assessments
Vulnerability assessments
Compliance reviews
Management reviews

Audit findings shall be documented and addressed through corrective action processes.

22. Exceptions

Exceptions to this policy must:

Be documented
Include business justification
Include risk assessment
Be approved by management
Include an expiration date where appropriate

Approved exceptions shall be reviewed periodically.

23. Enforcement

Violations of this policy may result in:

Removal of system access
Disciplinary action
Contract termination
Legal action where applicable

24. Review and Maintenance

This policy shall be reviewed:

At least annually
Following major technology changes
Following significant regulatory changes
Following major security incidents

Updates shall be approved by executive management.

25. Related Policies

Information Security Policy
Data Encryption Policy
Key Management Policy
Access Control Policy
Password Policy
Secure Development Policy
Vendor Management Policy
Incident Response Policy

26. Policy Approval

Policy Owner: Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0