Cryptographic Policy [Insert classification] In general, the policy of [Organization Name] is to use the following techniques for the relevant business process or situation:
PROCESS/SITUATION
TECHNIQUE
SPECIFIC GUIDANCE
Storage of data in the cloud
AES-256 encryption at rest
Keys not to be held by the CSP
E-Commerce transactions over the Internet
Symmetric encryption using TLS (Asymmetric techniques used to share session key)
RSA to be used for public key cryptography. Certificates to be obtained from a reputable supplier
Protection of data on removable media
Symmetric encryption
AES-256 encryption to be used where available
Protection of passwords on systems
All passwords must be hashed
MD5 hashing to be used where available
Email Security
Symmetric/asymmetric encryption using S/MIME
Features available in the relevant email client should be used to simplify the process
Remote Access
Virtual Private Network (VPN) using TLS 1.2 or higher
An IPSec VPN may be used where permitted by the Network Security Policy
Processing and/or Transmitting Cardholder Data internally
Strong cryptography as per industry recognised standards
Strong cryptography as per industry recognised standards
Processing and/or Transmitting Cardholder Data over a public/open Wi-Fi
Strong cryptography as per industry recognised standards
Only trusted keys and certificates are to be used
Storing Cardholder Data
Strong cryptography as per industry recognised standards One-way hashes based on strong cryptography Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored)
Logical access will be managed separately and independently to OS authentication and access methods Decryption keys will not be associated with user accounts
Accessing systems that store, process or transmit cardholder data
Strong cryptography as per industry recognised standards
Encrypt all access to systems to avoid sending ID/Passwords in clear text
Additional security required for known services, protocols or daemons (HTTP)
TLS 1.2
SSL or early TLS should not be used
Securing Wireless Networks
WPA2 or 802.1x (TLS 1.2)
WEP or SSL not to be used
Table 1: Cryptographic techniques
The continued use of the specified techniques will be evaluated on each review of this policy.
Version 1
Page 10 of 13
[Insert date]
