d3 Solutions - Cryptographic Policy
The purpose of this policy is to ensure the confidentiality, integrity, and availability of information by defining a framework for the use of cryptographic controls.
This policy applies to all information systems and assets that process, store, or transmit sensitive information.
Roles and Responsibilities
All employees, contractors, and vendors are responsible for complying with this policy and ensuring the security of the organisation's information and technology assets.
All cryptographic keys used for encryption, decryption, digital signatures, or other purposes are generated using a secure process. The keys are stored in a secure location, and access to them are restricted to authorised personnel only. The following key management practices must be adhered to:
Keys are generated using a secure random number generator.
Keys are distributed through a secure channel to authorized personnel only.
Keys are installed on secure systems in accordance with established procedures.
Keys are renewed or rotated at regular intervals as defined in the key management plan.
Keys are revoked or expired when they are no longer needed or when they have been compromised.
Only cryptographic algorithms that are well-established international standards and have been subjected to rigorous scrutiny by the international community of cryptographers or approved by authoritative professional bodies, reputable security vendors, or government agencies must be used. The following cryptographic algorithms are approved for use:
Advanced Encryption Standard (AES) with key sizes of 256 bits.
RSA with key sizes of 2048, 3072, and 4096 bits for encryption and digital signatures.
Secure Hash Algorithm (SHA) 256 and 384 for message digest and digital signatures.
This policy is designed to ensure that cryptographic controls are used effectively and consistently across the organisation. It is the responsibility of all personnel to adhere to the requirements of this policy to protect the confidentiality, integrity, and availability of sensitive information. Any violations of this policy will result in disciplinary action.