Page 1 of 1

Cryptographic Key Management Policy

1. Purpose

This policy defines the various cryptographic management measures taken by with respect to handling of important data.

2. Scope and Applicability

This policy will apply to any and all data pertaining to any customer that is used by any of the IT systems at end.

3. Execution Responsibilities

3.1. IT team is responsible for ensuring the execution of the policy

3.2. Information Security Manager (ISM) is responsible to ensure compliance with the policy

4. Objectives of Cryptographic Controls

4.1 Encryption

Use of encryption to protect sensitive and critical information when stored or transmitted

4.2 Integrity of Information or Authenticity

Use of digital certificates or message authentication codes to verify authenticity of stored or transmitted information

4.3 Non-repudiation

Use of cryptographic techniques or methods to provide evidence of events / actions.

5. Use of Cryptographic Controls Policy

5.1 Data handling procedure and practices

Defined data handling procedures in place to ensure encryption of sensitive data and information stored with approved encryption methods and management controls.

5.1.1 What are your data handling procedure and practices?

5.2 Encryption methods

Clear definition of encryption methods with users aware of data connection being used to transmit sensitive data and if encryption is available for that critical information

5.2.1 What are your encryption methods?

5.3 When is encryption required

5.3.1. Transmission of sensitive information

5.3.2. Access to sensitive data via the website, mobile application, web application or any web interface

5.3.3. All network traffic for remote access to a virtual desktop environment

5.3.4. Transport of sensitive data that is part of a web service call or database query

5.3.5. Privileged access to network or server equipment for system management

5.3.6 When is encryption required?

5.4 Encryption Procedures

5.4.1. Messages and attachments when emailing sensitive information should be encrypted

5.4.2. Use of digital signatures to guarantee authenticity via email

5.4.3. Digital signatures are distinguished from e-signatures which may be in the form of an image of an actual signature. E-signatures are not legally binding as they can be copied.

5.4.4. Users may use a digital signature to authenticate or sign an email, document, or form to express consent

5.4.5. Use of SSL digital certificates depends on organizational needs and should have an accompanying matrix to determine the right type of certificate, WCU Certification standards, and management procedures

5.4.5. Use encryption when appropriate on all remote access connections to the organization’s network and resources. The unique encryption key is to held in a secure repository and only accessed by authorized individuals.

5.4.6. A process must be established for the management of the encryption keys

5.4.7. Legal advice must be sought before encryption information and cryptographic controls are moved across jurisdiction borders.

5.4.8 What is your encryption procedure?

6. Exceptions

Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.

All exception requests shall be submitted to (CTO). These shall be submitted through an email and is to be approved by (CTO).

7. Disclaimer

reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.

For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability and implementation, please write to ISMS team. At dpo@..com

8. Enforcement

8.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for

8.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.

8.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of

8.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.