Encryption Policy
Version: 9.4 | Effective Date: March 1, 2020
- Document Created: February 5, 2020
- Last Reviewed: December 18, 2024
- Next Review Date: December 2025
- Approved By: Chief Technology Officer
- Policy Owner: Security Officer
10.1 Purpose
This Encryption Policy establishes requirements for implementing cryptographic controls to protect confidentiality, integrity, and authenticity of sensitive data during storage, transmission, and processing.
10.2 Scope
Applies to all data requiring protection (customer data, PII, financial records, credentials, intellectual property, employee information, confidential business information), all systems and infrastructure, and all personnel handling sensitive data or cryptographic systems.
10.3 Policy Statements
10.3.1 Data at Rest Encryption
- Database Encryption: Production databases containing sensitive data implement AES-256 encryption through Transparent Data Encryption (TDE), column-level encryption for highly sensitive fields, and encrypted backups.
- File System Encryption: Servers and workstations implement full disk encryption using AES-256 (BitLocker, FileVault, LUKS) enabled before deployment.
- Cloud Storage: Data in AWS S3 and Azure Blob Storage encrypted using AES-256 server-side encryption with customer-managed keys through AWS KMS or Azure Key Vault.
- Removable Media: USB drives and portable storage containing sensitive data must use hardware-encrypted devices or software encryption (BitLocker To Go, VeraCrypt).
10.3.2 Data in Transit Encryption
- Transport Layer Security: TLS 1.2 minimum, TLS 1.3 preferred. HTTPS enforced for all web traffic with HSTS implemented. Strong cipher suites configured with Perfect Forward Secrecy.
- VPN Encryption: IPsec or SSL/TLS-based VPN with AES-256 encryption minimum and strong authentication.
- Email Encryption: TLS for email transmission between servers, end-to-end encryption (S/MIME, PGP) for highly sensitive content.
- API and Web Services: HTTPS/TLS for all endpoints, mutual TLS for high-security integrations, OAuth tokens protected during transmission.
10.3.3 Encryption Algorithms
- Approved Symmetric: AES-256 (preferred), AES-128/192 (acceptable), ChaCha20 (specific use cases)
- Approved Asymmetric: RSA 2048-bit minimum (4096 preferred), ECC P-256 minimum (P-384/P-521 preferred)
- Approved Hashing: SHA-256 (preferred), SHA-384/512 (high-security), bcrypt/scrypt/Argon2 (passwords), PBKDF2 with 100,000+ iterations
- Deprecated/Prohibited: DES, 3DES, RC4, MD5, SHA-1, RSA <2048 bits
10.3.4 Key Management
Keys generated using cryptographically secure random number generators with sufficient entropy. Keys stored in AWS KMS, Azure Key Vault, or HSMs separately from encrypted data. Keys rotated annually minimum (database keys), 90 days (TLS certificates, API keys), upon suspected compromise. Keys backed up securely with documented recovery procedures.
10.3.5 Certificate Management
Certificates use commercial CAs (DigiCert, Sectigo, GlobalSign) or Let’s Encrypt. TLS/SSL certificates rotated on 90-day cycle with automated renewal, monitoring for expiration, and alerts 30/14/7 days before expiration.
10.4 Compliance
Supports NIST SP 800-52, 800-57, 800-111, 800-175B, FIPS 140-2/140-3, PCI DSS, HIPAA, ISO/IEC 27001:2022 (A.8.24), and GDPR.