19 Cryptography Policy ISO
19 Cryptography Policy ISO
19 Cryptography Policy ISO
To use this template, simply replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.
Policy Owner Name the person/group responsible for this policy’s management.
Policy Approver(s) Name the person/group responsible for implementation approval of this policy.
Related Policies Name other related enterprise policies both within or external to this manual.
Related Procedures Name other related enterprise procedures both within or external to this manual.
Storage Location Describe physical or digital location of copies of this policy.
Effective Date List the date that this policy went into effect.
Next Review Date List the date that this policy must undergo review and update.
Purpose
Describe the factors or circumstances that mandate the existence of the policy. Also state the policy’s basic
objectives and what the policy is meant to achieve.
The purpose of this policy is to ensure correct use of cryptography to protect the confidentiality, authenticity, and
integrity of the organization’s information.
Scope
Define to whom and to what systems this policy applies. List the employees required to comply, or simply indicate
“all” if all must comply. Also indicate any exclusions or exceptions, i.e. those people, elements, or situations that
are not covered by this policy or where special consideration may be made.
This Cryptography Policy applies to all business processes and data, information systems and components,
personnel, and physical areas of [Insert Company’s Name].
Definitions
Define any key terms, acronyms, or concepts that will be used in the policy. A standard glossary approach is
sufficient.
Guidance Section
ISO27001:2013 A.10 (A.10.1)
NIST SP 800-53 v4 SC-12, SC-13, SC-17
NIST SP 800-21 2.1, 3.6
1
Info-Tech Research Group
Policy Statements
Describe the rules that comprise the policy. This typically takes the form of a series of short prescriptive and
proscriptive statements. Sub-dividing this section into sub-sections may be required depending on the length or
complexity of the policy.
Cryptographic Controls:
[Insert Company’s name] will develop a policy surrounding the proper procedures needed around the
use of cryptographic controls. The following items should be considered:
o Based on a risk assessment, the required level of protection should be identified taking into
account the type, strength, and quality of the encryption algorithm required.
o The use of encryption for protection of information transported by mobile or removable media
devices or across communication lines.
o The standards to be adopted for effective implementation throughout the organization.
o The impact of using encrypted information on controls that rely upon content inspection.
Key Management:
Cryptographic keys should be protected through their whole lifecycle.
Cryptographic algorithms, key lengths, and usage practices should be selected according to best
practice.
All cryptographic keys should be protected against modification and loss. In addition, secret and
private keys need protection against unauthorized use as well as disclosure.
Equipment used to generate, store, and archive keys should be physically protected.
A key management system should be based on an agreed set of standards, procedures, and secure
methods for:
o Generating keys for different cryptographic systems and different applications.
o Issuing and obtaining public key certificates.
o Distributing keys to intended entities, including how keys should be activated when received.
o Storing keys, including how authorized users obtain access to keys.
o Changing or updating keys, including rules on when keys should be changed and how this
will be done.
o Dealing with compromised keys.
o Revoking keys, including how keys should be withdrawn or deactivated.
o Recovering keys that are lost or corrupted.
o Backing up or archiving keys.
o Destroying keys.
o Logging and auditing of key management related activities.
Relevant Procedures
Consider creating formal procedure documents that reinforce and support the policy statements above. Note, it is
best practice to house policies and procedures in separate documents to keep the content focused and reduce
the number of times the policy must be reapproved by senior management.
Non-Compliance
Clearly describe consequences (legal and/or disciplinary) for employee non-compliance with the policy. It may be
pertinent to describe the escalation process for repeated non-compliance.
2
Info-Tech Research Group
Violations of this policy will be treated like other allegations of wrongdoing at [Company Name]. Allegations of
misconduct will be adjudicated according to established procedures. Sanctions for non-compliance may include,
but are not limited to, one or more of the following:
Agreement
Include a section that confirms understanding and agreement to comply with the policy. Both signatures and
dates are required. A sample statement is provided below.
I have read and understand the [name of policy]. I understand that if I violate the rules explained herein, I may
face legal or disciplinary action according to applicable laws or company policy.
___________________________________________
Employee Name
___________________________________________ _______________________________________
Employee Signature Date
Revision History
Version ID Date of Author Rationale
Change
_____________________________________________________
For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.
3
Info-Tech Research Group