Encryption and Cryptographic Policy

Navigation Menu
    Add a header to begin generating the table of contents
    Scroll to Top

    Overview

    The protection of electronic information and access to storage systems is critical to effective operation and confidence in all of Profectus services. Protecting person identifiable and business critical information from unauthorised access, disclosure or loss whether by theft or accident is of paramount importance.

    A secure, robust technology infrastructure in addition to appropriate policies and procedures will help to ensure that wherever possible, all steps have been taken to protect this information.

    Cryptographic keys are used enable secure communication in the presence of third parties. They form part of the protocols that block adversaries to ensure confidentiality, integrity and authentication during secure communication. Cryptographic keys work by converting (encrypting) data to make it inaccessible and unreadable to unauthorised individuals. The only way to read the encrypted data is by using a decryption key.

    The Australian Privacy Act (1988) requires Profectus to have the appropriate policies and procedures to ensure the safety, use, retrieval and access to data as covered by the relevant sections of the Act.

    Purpose of this policy

    The purpose of this policy is to ensure that cryptographic keys are effectively and securely managed. This includes their creation and safe storage as well as the policies governing their use within the Profectus information networks and any associated client or other integration points.

    Scope of this policy

    This policy covers the encryption for the following devices and applications.

    • Desktop, laptop, tablet computers
    • Handheld devices such as mobile phones
    • Portable storage devices e.g. USB memory sticks, external drives
    • Removable media e.g. other portable storage, backup tapes
    • Email
    • Application and Database servers

    Roles and Responsibilities

    The Profectus system administrators retain overall control and management responsibility for the creation, safe storage and use of any cryptographic controls across Profectus and associated integrated networks.

    It remains the responsibility of every member of staff, regardless of role or position to ensure that all sensitive and critical data is encrypted as required and outlined within this policy.

    An overview of key positions and responsibilities is listed below.

    CTO :

    • Ultimately responsible for the policies and procedures contained herein
    • Approve high-level cryptographic policy changes as they arise
    • Formulate and direct cryptographic and associated policies
    • Review and sign-off periodic policy compliance checks
    System Administrators :
    • Manage and perform the operational cryptographic requirements
    • Perform periodic compliance checks
    • Recommend and suggest policy changes as required

    Cryptographic Keys

    Effective key management is the crucial element for ensuring the security of any encryption system. Key management procedures must ensure that authorised users can access and decrypt all encrypted data using controls that meet operational needs and comply with data retention requirements.

    Key management

    The following high-level procedures must be adhered to in the management of encryption keys.

    • Encryption keys are managed in a way that ensures encrypted stored data will neither become unrecoverable nor accessible by an unauthorised person.
    • Authorised Profectus staff to obtain prompt access to the encrypted information in the case of an emergency or investigation.
    • Encryption keys are stored and always communicated securely.
    • A record is kept of who holds encryption keys relating to important information.
    • No single individual is authorised to generate a new CA key pair.
    • Keys in storage and transit must be encrypted.
    • Private keys must be kept confidential
    • Keys must be randomly chosen from the entire key space, using hardware-based randomisation.
    • Key-encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key-encrypting key.
    • Keys that are transmitted are sent securely to well-authenticated parties.

    Algorithm requirements

    Key ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible”. The use of the Advanced Encryption Standard (AES) is mandated for symmetric encryption.

    The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.

    Transport layer security (TLS)

    The primary benefit of transport layer security is the protection of web application data from unauthorised disclosure and modification when it is transmitted between clients and the web application server as well as between the web application server and back end and other non-browser based enterprise components.

    The following TLS controls are implemented for all available systems (modified from the relevant OWASP recommendations):

    • Use TLS, as SSL is no longer considered usable for security
    • All pages must be served over HTTPS. This includes css, scripts, images, AJAX requests, POST data and third party includes.
    • the HTTP Strict Transport Security Header must be used and pre-loaded into browsers. This will instruct compatible browsers to only use HTTPS, even if requested to use HTTP.
    • Cookies must be marked as Secure

    The following server and application design considerations must be adhered to:

    • Use TLS or other strong transport everywhere
    • Do not provide non-TLS pages for secure content
    • Do not mix TLS and non-TLS content
    • Use “SECURE” cookie flag
    • Prevent caching of sensitive data
    • Use public key pinning

    SSL certificate management

    SSL certificates for use across Profectus service applications are obtained from the relevant certificate authority or authorised representative. The current certificate authority for any given certificates is listed in our Contracts system.

    Portable Devices

    Portable devices represent a specific category of devices that contain data-at-rest. The most effective approach to prevent exposures is to avoid storing confidential data on these devices. As a general practice, confidential data should not be copied to or stored on a portable computing device or a non-Profectus owned and controlled computing device. However, in situations that require confidential data to be stored on such devices, encryption reduces the risk of unauthorised disclosure in the event that the device becomes lost or stolen.

    Confidential information stored on portable devices including laptops must be encrypted using products and/or methods approved by Profectus. Portable devices including, laptops, tablets, smart-phones and other electronic devices should not be used for the long-term storage of any confidential information.

    Portable devices including laptops, tablets, smart-phones and other electronic devices that store or transmit confidential information must have the proper protection mechanisms installed, including such as password protection, relevant anti-virus or firewall software, and subject to required applications being properly configured.

    Removable media including CD-ROMs, DVDs, backup tapes, and USB memory drives that contain confidential information must be encrypted and stored in a secure, locked location. These devices must be transported using secure services. Media that is sent off-site for storage by third parties must have accompanying chain of custody forms for possession tracking of media.

    Data owners and users of portable computing devices and non-Profectus owned computing devices containing confidential data must acknowledge how they will ensure that data are encrypted and how encrypted data will be accessible by the owner in the event that an encryption key becomes lost or forgotten.

     

    PROFECTUS GROUP

    Australia

    +61 (3) 9009 8500
    Level 12, 492 St Kilda Road
    Melbourne
    Victoria 3004

    New Zealand

    +64 (9) 215 3479 Profectus, Rewired, Level 2/96 Saint Georges Bay Road, Parnell, Auckland 1052

    Vietnam

    +84 (28) 7107 8108 Support Office
    Level 2, Dinh Le Building
    1 Dinh Le street, Ward 12, District 4, HCMC, Vietnam

    © Copyright Profectus Group 2020 – Privacy PolicyTerms & Conditions