Encryption and Cryptographic Policy
The protection of electronic information and access to storage systems is critical to effective operation and confidence in all of Profectus services. Protecting person identifiable and business critical information from unauthorised access, disclosure or loss whether by theft or accident is of paramount importance.
A secure, robust technology infrastructure in addition to appropriate policies and procedures will help to ensure that wherever possible, all steps have been taken to protect this information.
Cryptographic keys are used enable secure communication in the presence of third parties. They form part of the protocols that block adversaries to ensure confidentiality, integrity and authentication during secure communication. Cryptographic keys work by converting (encrypting) data to make it inaccessible and unreadable to unauthorised individuals. The only way to read the encrypted data is by using a decryption key.
The Australian Privacy Act (1988) requires Profectus to have the appropriate policies and procedures to ensure the safety, use, retrieval and access to data as covered by the relevant sections of the Act.
The purpose of this policy is to ensure that cryptographic keys are effectively and securely managed. This includes their creation and safe storage as well as the policies governing their use within the Profectus information networks and any associated client or other integration points.
This policy covers the encryption for the following devices and applications.
The Profectus system administrators retain overall control and management responsibility for the creation, safe storage and use of any cryptographic controls across Profectus and associated integrated networks.
It remains the responsibility of every member of staff, regardless of role or position to ensure that all sensitive and critical data is encrypted as required and outlined within this policy.
An overview of key positions and responsibilities is listed below.
Effective key management is the crucial element for ensuring the security of any encryption system. Key management procedures must ensure that authorised users can access and decrypt all encrypted data using controls that meet operational needs and comply with data retention requirements.
The following high-level procedures must be adhered to in the management of encryption keys.
Key ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible”. The use of the Advanced Encryption Standard (AES) is mandated for symmetric encryption.
The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
The primary benefit of transport layer security is the protection of web application data from unauthorised disclosure and modification when it is transmitted between clients and the web application server as well as between the web application server and back end and other non-browser based enterprise components.
The following TLS controls are implemented for all available systems (modified from the relevant OWASP recommendations):
The following server and application design considerations must be adhered to:
SSL certificates for use across Profectus service applications are obtained from the relevant certificate authority or authorised representative. The current certificate authority for any given certificates is listed in our Contracts system.
Portable devices represent a specific category of devices that contain data-at-rest. The most effective approach to prevent exposures is to avoid storing confidential data on these devices. As a general practice, confidential data should not be copied to or stored on a portable computing device or a non-Profectus owned and controlled computing device. However, in situations that require confidential data to be stored on such devices, encryption reduces the risk of unauthorised disclosure in the event that the device becomes lost or stolen.
Confidential information stored on portable devices including laptops must be encrypted using products and/or methods approved by Profectus. Portable devices including, laptops, tablets, smart-phones and other electronic devices should not be used for the long-term storage of any confidential information.
Portable devices including laptops, tablets, smart-phones and other electronic devices that store or transmit confidential information must have the proper protection mechanisms installed, including such as password protection, relevant anti-virus or firewall software, and subject to required applications being properly configured.
Removable media including CD-ROMs, DVDs, backup tapes, and USB memory drives that contain confidential information must be encrypted and stored in a secure, locked location. These devices must be transported using secure services. Media that is sent off-site for storage by third parties must have accompanying chain of custody forms for possession tracking of media.
Data owners and users of portable computing devices and non-Profectus owned computing devices containing confidential data must acknowledge how they will ensure that data are encrypted and how encrypted data will be accessible by the owner in the event that an encryption key becomes lost or forgotten.
+61 (3) 9009 8500
Level 12, 492 St Kilda Road
+64 (9) 215 3479 Profectus, Rewired, Level 2/96 Saint Georges Bay Road, Parnell, Auckland 1052
+84 (28) 7107 8108 Support Office
Level 2, Dinh Le Building
1 Dinh Le street, Ward 12, District 4, HCMC, Vietnam