What are the different aspects to consider for Enterprise Encryption policy?
So far the resources I have are:
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
http://securosis.com/reports/Securosis_Understanding_DBEncryption.V_.1_.pdf
http://jdcmg.isc.ucsb.edu/docs/secpresent/Oracle-Secure-SSN-Vault-White-Paper-MAY2007.pdf
Most of these deal with encryption of sensitive data in the database. For an internal audit on the encryption standards in an organization, what else should be taken into consideration?
Narrowing it down to these factors with regard to key management, what would be the best practices:
- Storage of keys within source code
- Storage of keys within configuration files
- Storage of keys within a hardware security module
- Storage of keys within a keystore
- Key Rotation policy
- Backup of keys
- Restricted Access to Keys
NIST has provided a guide available here: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf
What would be relevant from an enterprise point of view?