1. Purpose
Define requirements for the use of cryptographic controls to protect the confidentiality and integrity of [ORGANIZATION]'s data assets.
2. Scope
This policy applies to all data classified as Confidential or Restricted, all data transmitted over untrusted networks, and all portable storage devices and mobile endpoints used by [ORGANIZATION].
3. Policy
3.1 Encryption Standards
All encryption shall use industry-standard algorithms and key lengths. The following minimum standards apply:
Symmetric encryption: AES-256 for data at rest and in transit.
Asymmetric encryption: RSA-2048 or ECDSA P-256 minimum for key exchange and digital signatures.
Hashing: SHA-256 or stronger for integrity verification.
TLS 1.2 or higher for all encrypted network communications. TLS 1.0 and 1.1 are prohibited.
Deprecated or known-weak algorithms (DES, 3DES, RC4, MD5, SHA-1 for signatures) are prohibited for new implementations and shall be phased out of existing systems within [CUSTOMIZE: 6/12] months.
3.2 Encryption at Rest
All Confidential and Restricted data stored on servers, databases, and storage systems shall be encrypted at rest using AES-256 or equivalent.
Full disk encryption shall be enabled on all laptops, portable devices, and removable storage media used for [ORGANIZATION] business.
Database-level encryption (TDE or equivalent) shall be enabled for databases containing Confidential or Restricted data.
Backup media containing Confidential or Restricted data shall be encrypted.
3.3 Encryption in Transit
All data transmitted over untrusted networks (including the internet) shall be encrypted using TLS 1.2 or higher.
Internal transmission of Confidential and Restricted data shall be encrypted, even within [ORGANIZATION]'s internal network.
Email containing Confidential or Restricted data shall be encrypted using S/MIME, PGP, or an approved email encryption gateway.
File transfers containing sensitive data shall use SFTP, SCP, or HTTPS. FTP is prohibited for Confidential or Restricted data.
3.4 Key Management
Cryptographic keys shall be generated, stored, distributed, and destroyed using documented procedures approved by [CUSTOMIZE: CISO/Security Team].
Private keys and symmetric keys shall be stored in hardware security modules (HSMs), secure key vaults, or equivalent tamper-resistant storage.
Key rotation shall occur at minimum [CUSTOMIZE: annually/bi-annually] or immediately upon suspected compromise.
Key access shall follow the principle of least privilege with separation of duties (no single individual shall have access to both encrypted data and decryption keys for the highest classification levels).
A key recovery process shall be documented and tested [CUSTOMIZE: annually/bi-annually] to ensure business continuity.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control