0

What are the different aspects to consider for Enterprise Encryption policy?

So far the resources I have are:

https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

http://esj.com/articles/2008/07/01/8-best-practices-for-encryption-key-management-and-data-security.aspx

http://securosis.com/reports/Securosis_Understanding_DBEncryption.V_.1_.pdf

http://jdcmg.isc.ucsb.edu/docs/secpresent/Oracle-Secure-SSN-Vault-White-Paper-MAY2007.pdf

Most of these deal with encryption of sensitive data in the database. For an internal audit on the encryption standards in an organization, what else should be taken into consideration?

Narrowing it down to these factors with regard to key management, what would be the best practices:

  1. Storage of keys within source code
  2. Storage of keys within configuration files
  3. Storage of keys within a hardware security module
  4. Storage of keys within a keystore
  5. Key Rotation policy
  6. Backup of keys
  7. Restricted Access to Keys

NIST has provided a guide available here: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf

What would be relevant from an enterprise point of view?

Epoch Win
  • 922
  • 2
  • 7
  • 14
  • 3
    The thing is, encryption policy is all about what you are wanting to protect. There isn't really a one-size-fits-all policy for encryption. What are you wanting to protect? – Steve Dec 19 '11 at 00:35
  • I'm looking for something from encryption at different levels such as in communications, storage, secure coding, key management etc. Say a checklist of sorts similar to the OWASP link provided. – Epoch Win Dec 19 '11 at 03:07
  • But you need to define what you are protecting its value, and your risk appetite first, then you can define protective measures appropriately. – Rory Alsop Jan 19 '12 at 18:14
  • Edited the question to be a little more specific – Epoch Win Feb 06 '12 at 22:14

1 Answers1

1

I think as the first step you should create a Data Classification policy where you would define different levels of data sensitivity (such as public, internal only, confidential, secret etc). Then you would have a clear guide which data is valuable enough to be protected with encryption, either at rest or in transmission. Defining the data classification would greatly help both the enterprise employees (to know which data to protect and how well) as well as the internal and external auditors.

In terms of Encryption Policy itself, I would recommend to explicitly state prohibition on creating own encryption schemes - everyone should be using the industry-standard well-established encryption library and mechanisms.

dmitris
  • 215
  • 1
  • 6