Encryption

When the confidentiality of backups is important, backups are protected by encryption. The need to encrypt backups may become highlighted when backups are stored in a physical location where security policies are unknown.

Laptops are protected by full-disk encryption.

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

• Track changes to cryptographic states
• Generate and distribute cryptographic keys
• Generate public-key certificates
• For monitoring unidentified encrypted assets
• For cataloging, archiving, and backing up encryption keys
• Maintains a database of connections to an organization's certificate and encryption key structures

Our organization has defined policies for creating, storing, sharing, and deleting encryption keys.

Encryption key lengths and usage practices will be selected in accordance with best general practices by monitoring developments in the industry.

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

The data to be transmitted must be protected using cryptographic methods. The protection of the confidentiality and integrity of the data transmitted applies to the internal and external network and to all systems that can transmit data. These include:

• Servers
• Computers
• Mobile devices
• Printers

The data to be transferred can be protected by physical or logical means.

• Physical protection is obtained from a protected distribution system, for example an optical fiber line, which has sufficient protection to prevent, for example, electromagnetic leakage and controls to prevent its unauthorized use.
• Logical protection is achieved with strong encryption of communications.

The organization's personnel are offered a solution to protect unclassified confidential information with encryption when information is transferred outside of physically protected areas via the network. The solution has no known vulnerabilities and, according to the information received from the manufacturer, it supports modern encryption strengths and settings.

The staff's competence in the safe use of the encryption solution has been ensured (for example, instructions, training and supervision).

When choosing the encryption methods to be used, take into account e.g. the following points:

• the cost of using encryption
• encryption level (eg type, strength and quality of the encryption algorithm)
• the value of the assets to be protected

The need for the advice of external experts is always considered when determining used cryptographic practices.