Policy Owner: Principal Engineer
...
| Anchor | ||||
|---|---|---|---|---|
|
CloudCard shall evaluate the risks inherent in processing and storing data, and shall implement cryptographic controls to mitigate those risks where deemed appropriate. Where encryption is in use, strong ensure that all non-public data is encrypted at rest and in transit over public networks. Strong cryptography with associated key management processes and procedures shall be implemented and documented for all encryption usage. All encryption shall be performed in accordance with industry standards, including NIST SP 800-57.
Customer or confidential company data must utilize strong ciphers and configurations in accordance with vendor recommendations and industry best practices including NIST Cryptographic Standardswhen stored or transferred over a public network.
| Anchor | ||||
|---|---|---|---|---|
|
...
The following table includes the recommended usage for cryptographic keys:
Domain | Key Type | Algorithm | Key Length | Max Expiration |
Web Certificate | RSA or ECC with SHA2+ signature | RSA or ECC with SHA2+ signature | 2048 bit or greater/RSA, 256bit or greater/ECC | Up to 1 year |
Web Cipher (TLS) | Asymmetric Encryption | Ciphers of B or greater grade on SSL Labs Rating | Varies | N/A |
Confidential Data at Rest | Symmetric Encryption | AES | 256 bit | 1 Year |
Passwords | One-way Hash | Bcrypt, PBKDF2, or scrypt, Argon2 | 256 bit+10K Stretch. Include unique cryptographic salt | N/A |
Endpoint Storage (SSD/HDD) | Symmetric Encryption | AES | 128 or 256 bit | N/A |
| Anchor | ||||
|---|---|---|---|---|
|
...
Any known violations of this policy should be reported to the Principal EngineerChief Technical Officer. Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.
Version | Date | Description | Author | Approved by |
1.0 | 2023-03-21 | First Version | Ryan Heathcote | Tony Erskine |
2.0 | 2024-07-18 | Annual Review | Ryan Heathcote |
Tony Erskine |