T7.4.1 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS Implementation Guidance
The entity shall establish a policy on the use of cryptographic controls.
Back to T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
When developing a cryptographic policy the following should be considered:
- A. The management approach towards the use of cryptographic controls across the entity, including the general principles under which business information should be protected
- B. based on a risk assessment, the required level of protection should be identified taking into account the type, strength, and quality of the encryption algorithm required
- C. The use of encryption for protection of sensitive information transported by mobile or removable media, devices or across communication lines
- D. The approach to key management, including methods to deal with the protection of cryptographic keys and the recovery of encrypted information in the case of lost, compromised or damaged keys
- E. Roles and responsibilities, e.g. who is responsible for:
1- The implementation of the policy
2- The key management, including key generation
- F. These Standards to be adopted for the effective implementation throughout the entity (which solution is used for which business processes)
- G. The impact of using encrypted information on controls that rely upon content inspection (e.g. virus detection)
- H. Any other NESA’s relevant issuances, guidance, and activities in this regard
When implementing the entity’s cryptographic policy, consideration should be given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information.
Cryptographic controls can be used to achieve different security objectives, e.g.:
CONFIDENTIALITY: using encryption of information to protect sensitive or critical information, either stored or transmitted
INTEGRITY/AUTHENTICITY: using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information
NON-REPUDIATION: using cryptographic techniques to obtain proof of the occurrence or non-occurrence of an event or action
Cryptographic techniques can also be used to implement the dissemination rules of information sharing, e.g. through information rights management.
Back to T7.4.1 - P2 - POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS
