Page 1 of 1

Cryptographic Control and Encryption Policy

1. Purpose

This policy defines the various cryptographic controls and measures taken by with respect to important data.

2. Scope and Applicability

This policy will apply to any and all data pertaining to any customer that is used by any of the IT systems at end.

3. Execution Responsibilities

3.1 IT team is responsible for ensuring the execution of the policy

3.2 Information Security Manager (ISM) is responsible to ensure compliance with the policy

4. Objectives of Cryptographic Controls

4.1 Encryption

Use of encryption to protect sensitive and critical information when stored or transmitted

4.2 Integrity of Information or Authenticity

Use of digital certificates or message authentication codes to verify authenticity of stored or transmitted information

4.3 Non-repudiation

Use of cryptographic techniques or methods to provide evidence of events / actions.

5. Use of Cryptographic Controls Policy

5.1. Consider the use of encryption whenever the confidentiality of an asset is important. Cryptography can be used when sending and storing data.

5.2. Confidential data on devices must be protected with encryption. The password may be shared separately.

5.3. All devices such as laptops, and mobile phones must be protected with a password, and data encryption must be enabled when available.

5.3.1. What's the Standard Operating Procedure for data encryption at ?

5.4. Consider the use of digital signatures or hash functions to ensure integrity.

5.4.1. What's the Standard Operating Procedure for ensuring data integrity ?

5.5. Strong cryptographic algorithms is encouraged with management controls.

5.6. Ensure that keys are randomly generated with a secure random number generator. Keys should never be stored in source code.

5.7. When adding or changing features that rely on cryptography in software development a second developer must review the source code and check against the rules in the policy.

5.8. In the case of using products with encryption software, check that the product has a strong cryptographic algorithm and checks should be done to detect any known weaknesses.

5.9. Checks should be done before exporting software containing cryptography.

5.9.1. Do you have a code review policy in place to check for specifications in 5.5, 5.6, 5.7, 5.8, and 5.9?

Management of Encryption

5.10. Use of a computer program for the generation of keys.

5.10.1. Store keys with restricted access.

Types of Encryption

Encryption helps with confidentiality while hashing and digital signatures help with integrity. A combination of the two is recommended.

5.11.1. Symmetric encryption uses a key to scramble plaintext into ciphertext

5.11.2. Public key encryption uses a public and private key pairing with the algorithm using plaintext and public key part to create ciphertext. Only people with the private key can comprehend the ciphertext.

5.11.3. The hash function uses a large plaintext to generate a hash or fingerprint. Anyone with the plaintext can generate the hash

5.11.4. Digital signature algorithms use a key pair with a public and private key to create a

signature file. Anyone with the public key and plaintext can check the validity of the signature.

5.11.5. What encryption methods are used at ?

6. Protection

6.1. Maintain an information asset inventory to determine which information should be kept confidential

6.2. Information shared over the internet should be encrypted with SSL and encryption of all individual files.

6.3. Encryption is further recommended for all devices.

7. Exceptions

Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.

All exception requests shall be submitted to (CTO). These shall be submitted through an email and to be approved by (CTO).

8. Disclaimer

8.1. reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, or stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDS, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.

For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team. At dpo@.com

9. Enforcement

9.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for

9.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.

9.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of

9.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.

Never submit passwords through Tally forms.
Report malicious form