A.10.1.1 Policy on the use of cryptographic controls

Control details

Requirement

For copyright reasons, this space does not contain citations from the Standard.

Instruction

Cryptographic controls can be used as a way to ensure confidentiality (encryption), maintain integrity (digital signatures), authentication (SSL) or non-repudiation.

Define what kinds of cryptography should be used in what situations.

Implementation

Our organization's use of cryptographic controls is defined here: Cryptography policy.

Cryptography policy
Following the /wiki/spaces/DEMO/pages/5670005, encryption must be used to protect confidential and/or sensitive information at rest or in motion.

Requirements for certificates

  • The maximum duration for signing certificates is 1 year
  • The maximum duration for SSL/TLS certificates is 2 years
  • The use of wildcard certificates is not allowed
  • All certificates should have a key length of at least 2048 bits
  • All certificates must be administered via asset management on Certificates

Requirements for SSL connections

  • All public facing websites are scanned each quarter using ssllabs.com, a score of "A" is considered minimum
  • The use of SSL is not allowed
  • TLS 3.0 is recommended, TLS 2.0 and 1.0 should be supported
  • Web servers must be configured to use the highest level of encryption first

Requirements for email

StatusImplemented
ApplicableYES
ReasonRisk assessment

Check details

OwnerSecurity officer (role)
FrequencyYear
Instruction

Is the implementation still accurate? Check if personnel acts according to the implementation. Report any findings below in the comments, or upload proof as attachment to this page.


  File Modified
No files shared here yet.