Contents

1. Purpose.......................................................................................................................2
2. Scope...........................................................................................................................2
3. Policy Framework......................................................................................................2
4. Risk Appetite..............................................................................................................2
5. Policy Statement.......................................................................................................2
5.1. Encryption Standards...................................................................................2
5.2. Encryption on data at rest...........................................................................2
5.3. Encryption on data in transit......................................................................2
5.4. Encryption Keys and Recovery...................................................................3
5.5. Compliance....................................................................................................3
5.6. Exceptions......................................................................................................3
6. Roles and Responsibilities.......................................................................................3
7. Document Review.....................................................................................................4
8. Related Documents..................................................................................................4
9. Document Version History......................................................................................4
1. Purpose

A supporting document of the Information Security Policy, this policy relates to

securing information through encryption as a means of reducing the risks of data
breaches.

2. Scope

This policy applies to all employees, contractors, volunteers, visitors, and other
workers.

3. Policy Framework

This policy forms part of a set of policies designed to manage business risk and
should be considered in conjunction with the other relevant policies in the
framework below:

4. Risk Appetite

We have no appetite for any non-compliance or significant customer detriment

caused by non-compliant processing of personal data.

5. Policy Statement

5.1.Encryption Standards

The company uses encryption software and services that meet the
recommendations of the National Cyber Security Centre (NCSC) and other
security organisations and has no known exploitable vulnerabilities.

5.2.Encryption on data at rest

All desktops, laptops and devices where possible should have full disk
encryption.
Disk encryption software used:
* {List encryption solutions here}
File Storage Encryption
* {Conditions for file storage here}
 5.3.Encryption on data in transit

All digital data being moved must be encrypted.

Where data is being transmitted over the Internet, the service must be secured
by HTTPS to connect with a suitable certificate.
Where possible, emails should be sent encrypted using a secure digital
signature.
Any other methods of moving data should be brought before the information
security team so that they can make a decision on the encryption methods.

5.4.Encryption Keys and Recovery

All encryption keys, recovery keys, IDs, signing requests and cryptographic
components must be documented and stored both physically in a secure fire
proof safe; and electronically within a secure encrypted store and not within
individuals’ encrypted volumes.

5.5.Compliance

Compliance to this policy will be audited through various methods, including but
not limited to, periodic training, video monitoring, business reports, internal and
external audits, and feedback to the policy owner.
An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

5.6.Exceptions

Any exception to the policy must be approved by the [IT Decision Maker] in
advance.

6. Roles and Responsibilities

1.1. First line of defence (everyone) is responsible for:

 Ensuring their day to day business activity complies with all relevant
regulations.
 Ensuring their business area is compliant with this Policy.
 Reporting any actual or perceived breaches.
1.2. The Second line of defence (the management) is responsible for:
 Oversight of policy implementation.
 Acting as an independent, effective challenger of the first line.
1.3. Third Line of defence (Directors, owners, external advisors or risk
team) is responsible for:
  Providing assurance that the Policy meets all regulatory
requirements and that the policy is being complied with effectively.
 Reviewing and approving this policy.
 Developing and supplying training on this policy, together with
associated standards, tools, methodologies, and programmes.
 Supplying advice and guidance to staff implementing the policy.
1.4. The Board of Directors are responsible for:
 Approval of this policy

7. Document Review

This document will be reviewed by the at least annually, or as and when

needed, if major changes take place in the business structure,
responsibilities, or regulatory framework.

8. Related Documents

 Data Protection Policy

 Information Security Policy
 Third Party Management Policy
 Business Continuity Policy

9. Document Version History

Versi
Date Author Notes
on
11-11-2023 Pritam V1
Bajpai