24.1 ObjectiveEncryption should be

24.1 Objective
Encryption should be used for the Group’s sensitive information that will be stored in non-secure locations or transmitted over external networks. Encryption is used to ensure the security of data and to protect privacy in communications infrastructure, networks & systems.
24.2 Policy
a) Determine that policies and procedures are in place to organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure protection of keys against modification and unauthorized disclosure, including dual custody and observation by witnesses.
b) Create cryptographic keys in a secure manner, only individuals not involved with the operational use of the keys are to create the keys. Credentials of key requestors must be verified.
c) Define and implement a process that identifies and revokes compromised keys. Notify all stakeholders as soon as possible of the compromised key.
d) While evaluating Public Key Infrastructure (PKI) as a solution for communicating with external entities, the ability of the external party to ensure security of the certificate must be considered.
e) Create and maintain a written certification practice statement that describes the practices that have been implemented in the certification authority, registration authority and directory when using a public-key-based encryption system.
f) Digital certificates must be issued by a certified Certifying Authority. IT may choose to setup its own internal Certifying Authority.
g) Strong encryption must be applied base on industry best practice and standard.
h) If there is sensitive and confidential information that needs to be transmitted over internal network, applications owners need to consult IT Security to analyze and determine the need for cryptographic controls.
i) Cryptographic keys that are being used or transmitted; IT Security must ensure these keys must not be exposed during usage and transmission.
j) Cryptographic keys that have expired; a secure key destruction method must be used to ensure keys must not be recovered by any parties.
k) Changing a cryptographic key must be independently generated from the previous key.
l) The key used to encrypt the original key must not be used to encrypt archived keys.
m) The storage duration of archived keys must be similar to the crypto period of the original key.
n) Different crypto keys must be used for generating one time password (OTP) and for signing transactions.
 
24.3 Public Key Infrastructure (PKI) Policy
a) PKI provides the facility for authenticating the originator of the message, encryption of data in transit and storage, verifying the integrity of the data and providing non-repudiation. PKI involves the use of digital certificates by all parties engaged in data communication. The Group should use PKI for communicating with external entities where high value transactions are conducted and where there is a risk of legal or contractual liability.
b) Digital certificates must be issued by a certified Certifying Authority. IT may choose to setup its own internal Certifying authority.
24.3.1 PKI – Group as Internal Certifying Authority (CA)
a) User key pair can be generated by the user or by the CA. It must be ensured that no copy of the user’s private key is retained by CA to avoid risk of repudiation.
b) In order to reduce the likelihood of compromise, certificates must have a defined activation and deactivation date, so that they can be used only for a limited period of time. IT must decide the validity period of the user certificate.
24.3.2 PKI – External Certifying Authority
If the Group is opting for an external Certifying Authority it must be ensured that the following issues have been addressed:-
a) Trust – The CA must be organized, controlled & regulated in such a way that its operations are reliable and validated.
b) Accreditation - The CA must be accredited by the recognized national, regional and international groups.
c) Compliance – The CA must be operate in compliance with accepted industry standards and all relevant regulations.
d) Contract – There must be a legally binding contract in place covering the provisions of the service and addressing all the issues.
e) Liability – The contract must include the circumstances under which the CA will be liable for damages. The liability should be adequate enough considering Group’s exposure. It should ensure that the CA has sufficient resources to meet its potential liabilities.
f) Security Policy – The CA must have a security policy covering technical and administrative requirements.
 
g) When using the services of an external CA, the Group can act as Registration Authority (RA) for its employees. RA is responsible for validating the credentials of Group employees seeking digital certificates and revocation reporting
24.3.3 PKI – End-user responsibilities
a) Users must ensure that their private keys are kept strictly confidential and not available to anyone else including the Certifying Authority
b) User must safeguard the private key by locking with password and/or by storing on media like smart card that is always under the custody of the user
c) If there is compromise of private key or if the key is unavailable (because of damage to key storage media) it must be immediately reported to the Registration Authority/CA.
d) User must maintain an updated copy of certificate revocation list to ensure that expired or compromised certificates are not used in transactions
e) User must ensure that certificate is renewed before expiry