Data Encryption Policy - US MSP Network

1. Purpose

The purpose of this Data Encryption Policy is to establish requirements for the protection of sensitive, confidential, and regulated information through the use of encryption technologies. Encryption serves as a critical security control to protect organizational data from unauthorized access, disclosure, alteration, or destruction while data is stored, transmitted, processed, or backed up.

This policy supports the organization’s commitment to maintaining the confidentiality, integrity, and availability of information assets and helps ensure compliance with applicable legal, regulatory, contractual, and industry requirements.

2. Scope

This policy applies to:

All employees
Contractors
Consultants
Temporary personnel
Third-party service providers
Vendors with access to organizational data

This policy applies to:

All organizational information systems
Cloud platforms
SaaS applications
Servers
Workstations
Laptops
Mobile devices
Removable media
Databases
Backup systems
Network communications
Email systems

3. Policy Statement

All sensitive, confidential, proprietary, regulated, or customer-related information shall be protected using approved encryption technologies whenever such information is:

Stored on devices or systems
Transmitted across networks
Backed up for recovery purposes
Shared with third parties
Archived for long-term retention

Encryption controls shall be implemented according to data classification, business requirements, and applicable regulatory obligations.

4. Objectives

The objectives of this policy are to:

Protect sensitive information from unauthorized disclosure.
Reduce the risk of data breaches.
Ensure compliance with regulatory requirements.
Protect customer and employee information.
Secure data throughout its lifecycle.
Establish standardized encryption practices.
Define responsibilities for encryption management.
Protect organizational reputation and trust.

5. Definitions

Encryption

The process of converting readable information into an unreadable format using cryptographic algorithms.

Encryption Key

A cryptographic value used to encrypt or decrypt information.

Data at Rest

Data stored on systems, devices, databases, storage platforms, backups, or removable media.

Data in Transit

Data transmitted across internal or external networks.

Data in Use

Data actively being processed by applications, users, or systems.

Full-Disk Encryption

Encryption applied to an entire storage device.

End-to-End Encryption

Encryption that protects data from the sender to the intended recipient.

6. Data Classification Requirements

Public Data

Information approved for public disclosure.

Examples:

Marketing materials
Public website content
Press releases

Encryption:

Recommended but not required

Internal Use Data

Information intended for internal organizational use.

Examples:

Internal procedures
Staff directories
Internal communications

Encryption:

Required during transmission over public networks

Confidential Data

Information that could cause harm if disclosed.

Examples:

Customer records
Financial information
Contracts
Employee information
Operational documents

Encryption:

Required at rest and in transit

Restricted Data

Highly sensitive information subject to legal or regulatory requirements.

Examples:

Protected health information (PHI)
Payment card data
Personally identifiable information (PII)
Security credentials
Intellectual property

Encryption:

Mandatory at rest, in transit, and in backups

7. Data-at-Rest Encryption Requirements

The following systems must use approved encryption:

End User Devices

All company-issued:

Laptops
Desktops
Tablets
Smartphones

Must use full-disk encryption.

Examples include:

BitLocker
FileVault
Device encryption approved by IT

Servers

All servers storing confidential or restricted information must use:

Full-disk encryption
Volume encryption
Storage-level encryption

Where technically feasible.

Databases

Databases containing sensitive information must implement:

Transparent Data Encryption (TDE)
Column-level encryption where appropriate
Encrypted storage volumes

Cloud Storage

Data stored in cloud environments must utilize:

Provider-supported encryption
Customer-managed keys when appropriate
Encryption enabled by default

Backup Media

All backups must be encrypted before storage.

This includes:

Cloud backups
Offsite backups
Tape backups
Portable backup drives

8. Data-in-Transit Encryption Requirements

All sensitive information transmitted across networks must be encrypted.

Web Traffic

Approved protocols include:

TLS 1.2 or higher
TLS 1.3 preferred

Unencrypted HTTP shall not be used for sensitive information.

Email

Sensitive information transmitted by email must be protected through:

Secure email gateways
Message encryption
Encrypted attachments
Secure file-sharing solutions

Remote Access

Remote connections must use:

VPN solutions
Encrypted remote desktop technologies
Multi-factor authentication

Wireless Networks

Wireless networks must use:

WPA3 preferred
WPA2 Enterprise minimum

Open wireless networks are prohibited for business use unless secured through a VPN.

9. Approved Encryption Standards

The organization shall use industry-recognized encryption standards.

Approved standards include:

Symmetric Encryption

AES-256
AES-192
AES-128

Preferred:

AES-256

Asymmetric Encryption

RSA 2048-bit minimum
RSA 3072-bit preferred
ECC cryptography where supported

Hashing

Approved:

SHA-256
SHA-384
SHA-512

Prohibited:

MD5
SHA-1

Except where required for legacy compatibility and approved by management.

10. Encryption Key Management

Key Protection

Encryption keys shall be protected against:

Unauthorized access
Disclosure
Modification
Loss

Key Storage

Keys shall be stored separately from encrypted data whenever practical.

Approved methods include:

Hardware Security Modules (HSMs)
Cloud Key Management Services
Secure key vaults

Key Rotation

Encryption keys shall be rotated:

Annually at minimum
Upon suspected compromise
Following personnel changes where applicable
According to regulatory requirements

Key Revocation

Compromised keys must be revoked immediately.

Key Backup

Critical encryption keys must be securely backed up and recoverable.

11. Mobile Device Encryption

All company-owned mobile devices shall:

Use device encryption
Require PINs or passwords
Support remote wipe capabilities
Use approved mobile device management systems

Bring Your Own Device (BYOD) devices accessing organizational data must meet equivalent security requirements.

12. Removable Media Encryption

All removable media containing confidential or restricted information must be encrypted.

Examples:

USB drives
External hard drives
Portable SSDs
Memory cards

Unencrypted removable media shall not be used to store sensitive information.

13. Cloud Services Requirements

Cloud service providers must:

Support encryption at rest
Support encryption in transit
Maintain secure key management practices
Meet applicable contractual security requirements

The organization shall verify encryption controls before storing sensitive data in cloud environments.

14. Third-Party Requirements

Third parties handling organizational data must:

Implement encryption controls consistent with this policy
Protect encryption keys appropriately
Demonstrate compliance upon request
Notify the organization of encryption-related incidents

15. Monitoring and Auditing

The organization shall periodically review:

Encryption configurations
Key management practices
Compliance with encryption standards
Cloud encryption settings
Device encryption status

Audits may include:

Vulnerability assessments
Security reviews
Compliance assessments
Technical testing

16. Exceptions

Exceptions to this policy must:

Be documented
Include business justification
Include risk assessment
Be approved by management
Be reviewed annually

Temporary exceptions shall include an expiration date.

17. Incident Response

Any suspected compromise involving:

Encryption keys
Encrypted data
Cryptographic systems

Must be reported immediately to the Information Security team.

The organization may:

Revoke affected keys
Rotate encryption keys
Re-encrypt affected systems
Conduct forensic investigations

18. Roles and Responsibilities

Executive Management

Responsible for:

Approving security policies
Providing necessary resources

Information Security Team

Responsible for:

Maintaining encryption standards
Monitoring compliance
Managing key management processes
Conducting reviews and audits

IT Department

Responsible for:

Implementing encryption technologies
Managing encryption tools
Maintaining secure configurations

Employees

Responsible for:

Following encryption requirements
Protecting credentials
Reporting security concerns
Using approved tools and systems

19. Enforcement

Violations of this policy may result in:

Removal of system access
Disciplinary action
Contract termination
Legal action where applicable

20. Review and Maintenance

This policy shall be reviewed:

At least annually
Following significant regulatory changes
Following major security incidents
Following major technology changes

Updates shall be approved by executive management.

21. Related Policies

Information Security Policy
Access Control Policy
Acceptable Use Policy
Data Retention Policy
Incident Response Policy
Backup and Recovery Policy
Vendor Management Policy
Mobile Device Policy
Risk Management Policy

22. Policy Approval

Policy Owner: Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0