Policy on the use of cryptographic controls

There are separate instructions for staff to use mobile devices. The instructions cover:

• restrictions on installing software and using various services on your organization's devices
• procedures for the registration of new devices
• requirements for physical protection of equipment and installation of updates
• access control requirements
• protecting your organization’s data with encryption, malware protection, and backup
• the ability of the organization to remotely control the device

Laptops are protected by full-disk encryption.

When the confidentiality of backups is important, backups are protected by encryption. The need to encrypt backups may become highlighted when backups are stored in a physical location where security policies are unknown.

Deciding on the need for encryption solutions is seen as part of an overall process that includes risk assessment and the definition of other management tasks.

The organization has established a general encryption policy that is always followed when protecting information using encryption.

Encryption policy defines:

• general principles for using cryptographic controls throughout the organization
• methods for determining the needed level of encryption on the basis of a asset risk assesment
• the use of encryption on mobile devices
• ways to protect encryption keys and recover encrypted data when keys are lost
• roles and responsibilities related to encryption
• the effects of encryption on other tasks of the security management system

We use strong encryption during password transmission and storage in all services we develop.

Devices that support full-device encryption are selected as smartphones and tablets for work use, and encryption is turned on.

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

The disk and file system of the servers is encrypted to manage the effects of physical theft of the servers.

When choosing the encryption methods to be used, take into account e.g. the following points:

• the cost of using encryption
• encryption level (eg type, strength and quality of the encryption algorithm)
• the value of the assets to be protected

The need for the advice of external experts is always considered when determining used cryptographic practices.