POLICIES ON ENCRYPTION OF DATA

 The nature of transmitting data over the Internet makes it easy for a determined attacker to
read data. The only way to prevent this type of eavesdropping is to use encryption.
 Encryption has moved out of the arena of the military and espionage to become necessary
technology for protecting the transmission of electronic assets.
 From Virtual Private Networks (VPNs) to privacy-enhanced email, encryption has entered
the mainstream of technologies that affects everyone.
 But governments would not prefer people use encryption because it can be difficult for them
to eavesdrop on the transmissions.
 Before writing the information security policies, we should learn about the encryption laws
of the countries where we plan to use them.

International Encryption Policies

Wassenaar Arrangement
The Wassenaar Arrangement is an international, multilateral arrangement negotiated among 33
founding members to outline the export controls, exchange of views and information, and
technology transfers throughout the world. This agreement, approved in 1996 as a successor to
the Coordinating Committee for Multilateral Export Controls (COCOM), is a policy guideline to
signatory nations and not a treaty.

Liability Concerns
 When law enforcement obtains warrants to search your organization's systems or monitor
encrypted network transmissions they will require the disclosure of the encryption
algorithms and the keys.
 Additionally, encrypted data and the keys used are supposed to remain safe even when
being given to law enforcement.

Managing Encryption
 Even with the legal questions surrounding the use of encryption, it is a good tool to
ensure the privacy of network communications.
 Some organizations require that management approve the use of encryption and in turn
will be responsible for certifying its use only after verifying any legal issues.
 This policy can be stated as follows:

Management shall approve all use of encryption within the organization. Prior to
approval, management shall verify that its use complies with all applicable laws and
regulations.

 Compliance with laws and regulations can be achieved by taking decisions that meet
published government standards.
 In addition to management issues, policies can consider the physical management of
hardware and software media used to support encryption.
 Some physical policies for encryption devices include
o Requiring tamper-resistant hardware
o Physically locking the device that uses a real key
 o Placing safeguards on the physical network, including physically protecting
hardware devices and network connections to those devices
o Locking storage for software distribution media

Handling Encryption and Encrypted Data

 Policies covering when to encrypt data can be left to procedures.
 For example, data would be classified based on storage or transmission requirements.
 Rather than inserting those classifications in the policy document, the policy can include
a statement that read as follows:

All data shall be classified based on usage. The criteria shall include considerations for
the sensitivity of the data, where it is stored, and how the data is transmitted.

 For archived data, due to complexity problem with key management and key recovery the
policies for storage of the backup media can include a policy statement like:

Archive and backup data shall not be encrypted. Sensitive data shall be stored in a
manner consistent with policy.

 For handling the original data in old tapes and online after it is encrypted, a policy
statement can be like:

All original data shall be deleted or its media destroyed after it is encrypted. Memory and
storage used by encryption processes shall be thoroughly erased before being released.

Key Generation Considerations

 The encryption key is usually a secret value or has a secret component.
 Policies can specify certain rules that should be followed namely:
o The allowable format for generated keys ( binary or plaintext)
o How the keys can be stored(online storage, removable storage, within devices)
o Specifying the allowable life of a key (expiry/regeneration date)
o Mandating that the key-generating algorithms and software not be made
available.
o Destruction of key-generating materials and ensuring that memory used to
generate keys does not leave any residual information
o This policy statement can read as follows:

All materials used in generating encryption keys shall be destroyed following their use.
All memory and storage devices shall be thoroughly erased or destroyed as appropriate.

Key Management
From a policy perspective, there are three areas that should be covered in key management
policies:
1. disclosure of keys and key escrows
2. storage of keys
 3. transmission of keys

Disclosure of Keys
 Regardless of the type of encryption used, keys will have to be disclosed at some point.
 If your organization outsources services that use encryption, many providers manage the
keys through key escrow systems.
 Sometimes, keys might have to be disclosed under court order.
 Maintaining control of the keys is essential for maintaining the confidentiality of the data
being encrypted.
 A sample Key management policy can read

Encryption keys shall be disclosed only when required for exchange or by law.

 This policy statement does not address key escrow, management of keys through a third
 party, or disclosure of employees' keys when their association with the organization is
terminated.
 When working with a service provider, your organization should receive a policy
statement from the provider stating its disclosure policies.

Key Storage
 Key storage policies can cover how keys are stored, backed up, or stored for
transmission.
 A sample policy statement can reads as:

Keys shall not be stored on the same media as the protected data.

 Regarding policies for eradicating keys from media, most organizations have chosen to
leave requirements unspecified and include them in their procedures.

Transmission of Keys
 Public key can be transmitted openly without worrying about compromise but for
transmitting the symmetric key we have to use a method that does not follow the same
transmission path as the data.
 A sample policy statement can read as follows:

All management of public key/asymmetric encryption keys shall not be transmitted using the
same network that will carry encrypted data. All symmetric encryption keys shall be
physically exchanged and not transmitted across any network.