C.1 Acceptable Encryption Standard

Version: April 2025
Aligned with: ISO/IEC 27001:2022 (Annex A: A.8.24, A.8.25, A.5.10, A.5.36)
Applies to: All employees, contractors, and systems handling sensitive or regulated data

Purpose
To ensure encryption technologies used across the organization are secure, interoperable, and compliant with international standards and applicable legal frameworks.

1. Cryptographic Algorithm Requirements
(Aligned with A.8.24 – Use of cryptography)

1.1 Symmetric Encryption
- Use only AES (Advanced Encryption Standard) or AES-compatible algorithms
- Must comply with NIST FIPS 140-2 or successor standards

1.2 Asymmetric Encryption
- Use RSA (≥2048-bit) or Elliptic Curve Cryptography (ECC)
- Must follow FIPS 140-2 guidance or equivalent

1.3 Hashing
- Only NIST-approved hash functions (e.g., SHA-2 family)

1.4 Signature Algorithms

Algorithm Minimum Key Size Requirements
ECDSA P-256 Follow RFC6090 to avoid patent issues
RSA 2048 bits Use secure padding (e.g., PKCS#7), and hash message content
LDWM SHA-256 Refer to draft LDWM for implementation guidance

2. Key Exchange and Authentication
(Aligned with A.8.24 & A.8.25 – Key management and transmission security)
- Approved protocols: Diffie-Hellman, IKE, or ECDH
- Endpoints must be authenticated before any key exchange
- Public key trust must be established via:
- Cryptographically signed messages, or
- Manual verification of hash/fingerprint
- Authentication servers (e.g., RADIUS, TACACS) and TLS endpoints must use certificates signed by a trusted Certificate Authority (CA)

3. Key Generation and Protection
(Aligned with A.8.25 – Key management)
- Keys must be securely generated and stored
- Key generation must be seeded with a NIST-approved RNG (see FIPS PUB 140-2 Annex C)
- Secret/private keys must never be stored in plaintext
- Key lifecycle must be managed: generation, distribution, rotation, expiration, and destruction

4. Policy Enforcement & Sanctions
(Aligned with A.5.10, A.5.36 – Acceptable use and enforcement)
- Non-compliance may result in:
- Mandatory training or written warnings
- Suspension of system access
- Termination of contract/employment
- Legal consequences (if data protection laws are violated)
- All enforcement will follow HR and legal protocols
- Enforcement severity is proportional to the policy breach

Direct URL:
Navigation
Back to Appendix C: Guidelines Policy Overview