Back

Manage the use of encryption controls and cryptographic controls.


CONTROL ID
00570
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Define the cryptographic module security functions and the cryptographic module operational modes., CC ID: 06542
  • Employ only secure versions of cryptographic controls., CC ID: 12491
  • Establish and maintain digital signatures, as necessary., CC ID: 13828
  • Establish, implement, and maintain an encryption management and cryptographic controls policy., CC ID: 04546
  • Establish and maintain cryptographic key management procedures., CC ID: 00571
  • Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally., CC ID: 13153
  • Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally., CC ID: 13154
  • Use strong data encryption to transmit restricted data or restricted information over public networks., CC ID: 00564


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A person shall use encryption, regardless of the encryption key length, selected encryption algorithm, implementation technique, or medium used, in accordance with this act. (§ 85, The Electronic Communications and Transactions Act, 2002)
  • A key holder shall not decrypt data or release the decryption key absent authorization. (§ 87(1), The Electronic Communications and Transactions Act, 2002)
  • A key holder may decrypt data or communication or release the decryption key with the approval of the owner of the data or communication or the owner of the key. (§ 87(3)(a), The Electronic Communications and Transactions Act, 2002)
  • A key holder may decrypt data or communication or release the decryption key when the decrypting or release is necessary or incidental to providing encryption services or managing or holding the key. (§ 87(3)(b), The Electronic Communications and Transactions Act, 2002)
  • A key holder may decrypt any data or communication or release the decryption key to assist a law enforcement officer pursuant to a communications order or interception order to access stored records. (§ 87(3)(c), The Electronic Communications and Transactions Act, 2002)
  • A recovery agent shall not use stored recovery information to decrypt any data or communication. (§ 91(1)(b), The Electronic Communications and Transactions Act, 2002)
  • If cryptographic technology is used to protect the confidentiality and integrity of AIs’ information, AIs should adopt industry-accepted cryptographic solutions and implement sound key management practices to safeguard the associated cryptographic keys. Sound practices of key management generally … (3.1.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • T28.2: The organization should select reliable technologies for encryption and password use. When selecting the technologies, the organization should keep in mind increases in CPU loading and delays in processing business operations. The organization should use several encryption technologies to kee… (T28.2, T29.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Typical areas or situations requiring deployment of cryptographic techniques, given the risks involved, include transmission and storage of critical and/or sensitive data/information in an 'un-trusted' environment or where a higher degree of security is required, generation of customer PINs which ar… (Critical components of information security 14) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • With a clear understanding of network connectivity, banks can avoid introducing security vulnerabilities by minimizing access to less-trusted domains and employing encryption and other controls for less secure connections. Banks can then determine the most effective deployment of protocols, filterin… (Critical components of information security 24) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Password used for authentication is encrypted during transmission and also encrypted or hashed in storage. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure. (Annex A1: Authentication and Passwords 22, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Encrypt sensitive personal data, which has a higher risk of adversely affecting the individual should it be compromised. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure. (Annex A1: Security of Personal Computers & Other Computing Devices 38, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Encrypt or password protect attachments containing personal data that has a higher risk of adversely affecting the individual should it be compromised. The password should be communicated separately. For encryption, review the method of encryption (e.g. algorithm and key length) periodically to ensu… (Annex A1: Email Security 55, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Encrypt confidential or sensitive personal data that has a higher risk of adversely affecting the individual should it be compromised. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure. (Annex A1: Database Security 52, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Use two-factor authentication and strong encryption for remote access. Review the method of encryption (e.g. algorithm and key length) periodically to ensure that it is recognised by the industry as relevant and secure. (Annex A2: Computer Network Security 11, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The organization must use a DSD Approved Cryptographic Algorithm encryption product to reduce the physical transfer requirements or the storage requirements for equipment or media that contains sensitive information to an unclassified level. (Control: 1161, Australian Government Information Security Manual: Controls)
  • The organization must use a common criteria-evaluated encryption product that has a Defence Signals Directorate cryptographic evaluation to reduce the physical transfer requirements or storage requirements for media and equipment containing classified information to an unclassified level. (Control: 0457, Australian Government Information Security Manual: Controls)
  • The organization must use High Grade Cryptographic Equipment to reduce the physical transfer requirements or storage requirements of media or equipment that contains classified information to a lower classification. (Control: 0460, Australian Government Information Security Manual: Controls)
  • The organization should not use the Electronic Codebook mode when using Triple Data Encryption Standard or Advanced Encryption Standard on unclassified systems. (Control: 0479, Australian Government Information Security Manual: Controls)
  • The organization must use 3 distinct keys or 2 distinct keys in the order key 1, key 2, key 1 when using Triple Data Encryption Standard on unclassified systems. (Control: 0480, Australian Government Information Security Manual: Controls)
  • The organization must use the Suite B algorithms in High Grade Cryptographic Equipment, if it is using them to protect confidential information, secret information, and top secret information. (Control: 1232, Australian Government Information Security Manual: Controls)
  • The organization should disable the aggressive mode for Internet Key Exchange when using Internet Security Association and Key Management Protocol in Internet Key Exchange version 1. (Control: 0497, Australian Government Information Security Manual: Controls)
  • The organization should use a Security Association lifetime of less than 400 hours or 14400 seconds for Internet Protocol Security. (Control: 0498, Australian Government Information Security Manual: Controls)
  • The organization should use perfect forward secrecy for Internet Protocol Security connections. (Control: 1000, Australian Government Information Security Manual: Controls)
  • The organization should disable the use of ike extended authentication for Internet Protocol Security connections that use Internet Key Exchange version 1. (Control: 1001, Australian Government Information Security Manual: Controls)
  • The organization should use cryptographic techniques to control access to sensitive information and sensitive data in storage. (¶ 50, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement cryptographic techniques when a higher degree of security is required. (Attach F ¶ 1(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • A regulated institution would typically utilise tamper resistant devices to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules (HSMs) or similarly secured devices. These devices would be ap… (Attachment F ¶ 7, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In order to minimise the risk of compromise, an end-to-end approach would normally be adopted, where encryption is applied from the point of entry to final destination. (¶ 51, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • A regulated institution would normally select appropriate cryptographic techniques based on the control effectiveness required and the sensitivity and criticality of the data/information involved. The institution's chosen cryptographic techniques would normally be reviewed on a regular basis to ensu… (Attachment F ¶ 3, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In order to minimise the risk of compromise, an end-to-end approach would typically be adopted, where encryption is applied from the point-of-entry to final destination. (55., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity would typically select cryptographic techniques based on the nature of the activity and the sensitivity and criticality of the data involved. The cryptographic techniques would typically be reviewed on a regular basis to ensure that they remain commensurate with vulnerabilit… (Attachment E 2., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • use of physically and logically protected devices and environments to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules (HSMs) or similarly secured devices; (Attachment E 5(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Audits of the cryptographic system material should be conducted when administrative duties are transferred from one individual to another, when individuals who can access the cryptographic material change, and at least annually. (§ 3.9.47, Australian Government ICT Security Manual (ACSI 33))
  • The processing of personal data by electronic means will only be allowed if the following minimum security measure is implemented with the technical specifications stated in Annex B of this Code: implementing encryption for processing by health care bodies that disclose health and sex life. (§ 34.1(h), Italy Personal Data Protection Code)
  • Systems or parts used for decoding the technical protection of electronic communications is prohibited from being possessed, imported, manufactured, and distributed, if it is intended for unlawful decoding of technical protection. The Finnish Communications Regulatory Authority may grant an exceptio… (§ 6(2), § 6(3), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • (§ IX, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • § 2.2 (2.2.120) A secure encryption algorithm, such as AES, should be used to transmit highly sensitive information on WLANs. § 2.3.1 (2.3.1.010) The recommended architecture to secure WLAN traffic on the internal network should be based on Layer 3 encryption with a FIPS 140-2 secure VPN solution.… (§ 2.2 (2.2.120), § 2.3.1 (2.3.1.010), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Devices should use Layer 2 or Layer 3 encryption with AES. (§ 1.2 (2.3.1.010), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • Devices should use Layer 2 or Layer 3 encryption with AES. (§ 1.2 (2.3.1.010), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • Devices should use Layer 2 or Layer 3 encryption with AES. (§ 1.2 (2.3.1.010), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
  • Devices should use Layer 2 or Layer 3 encryption with AES. (§ 1.2 (2.3.1.010), The Center for Internet Security Wireless Networking Benchmark, Linksys Addendum, 1)
  • The organization must encrypt all stored payment data using triple DES encryption. (§ 1a, American Express Data Security Standard (DSS))
  • Review the documented policies and procedures to verify they include processes for only accepting trusted keys and/or certificates. (Testing Procedures § 4.1.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review documented policies and procedures to verify they include processes for implementing the proper encryption strength for the encryption method that is being used. (Testing Procedures § 4.1.b Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the cryptographic keys and certificates to verify only trusted keys and certificates are accepted. (Testing Procedures § 4.1.d, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • § 4.4.1.A Wi-Fi Protected Access (WPA or WPA2) Enterprise mode with 802.1X authentication and AES encryption is recommended for WLAN networks. § 4.4.1.B It is recommended that WPA2 Personal mode be used with a minimum 13-character random passphrase and AES encryption. § 4.4.1.E The use of Wired E… (§ 4.4.1.A, § 4.4.1.B, § 4.4.1.E, § 4.5.1.A, § 4.5.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Wireless networks that transmit cardholder data should encrypt all transmissions via WiFi Protected Access (WPA or WPA2), IPSEC VPN, or SSL/TLS. Wired Equivalent Privacy (WEP) should never be exclusively used to protect confidentiality and access to wireless LANs. If WEP is used, the following shoul… (§ 6.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • The HSM uses accepted cryptographic algorithms, modes, and key sizes (B10, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 2.0)
  • The device uses accepted cryptographic algorithms, modes, and key sizes. (B10, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? (PCI DSS Question 2.3(d), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • For service providers only: If keys are shared with customers for transmission or storage of cardholder data, is documentation provided to customers that includes guidance on how to securely transmit, store, and update customer's keys, in accordance with Requirements 3.6.1 through 3.6.8? (PCI DSS Question 3.6(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • A key technical control that should be included in a well-managed IT environment is the implementation of encryption services when confidentiality is a stated requirement. (§ 5.3.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The digital asset management audit should include ensuring digital assets are subject to data encryption. (App A.9 (Recommendations for Piracy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • To ensure network security, providing secure connections and encryption should be included in the data protection efforts. (§ 5.2 (Network Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The organization should ensure the type of encryption used for e-mail or transferring documents is not restricted in the destination country. (Pg 23-VI-19, Protection of Assets Manual, ASIS International)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be encrypted (e.g., using Internet Protocol Security). (CF.04.01.07e, The Standard of Good Practice for Information Security)
  • The information security function should provide proactive support for the use of cryptography. (CF.01.02.04c, The Standard of Good Practice for Information Security)
  • Cryptography should be used across the organization to protect the confidentiality of sensitive information or information that is subject to legal and regulatory-related encryption requirements (e.g., Payment Card Industry Data Security Standard, united states Health Insurance Portability and Accou… (CF.08.04.01a, The Standard of Good Practice for Information Security)
  • Cryptography should be used across the organization to determine if critical information has been altered (e.g., by performing hash functions or digitally signing). (CF.08.04.01b, The Standard of Good Practice for Information Security)
  • Cryptography should be used across the organization to provide strong authentication for users of applications and systems (e.g., by using digital certificates and smartcards). (CF.08.04.01c, The Standard of Good Practice for Information Security)
  • Arrangements to manage cryptographic solutions should be established that include approving the use of cryptographic solutions (e.g., by executive management). (CF.08.04.04a, The Standard of Good Practice for Information Security)
  • Arrangements to manage cryptographic solutions should be established that include keeping cryptographic solutions up-to-date. (CF.08.04.04d, The Standard of Good Practice for Information Security)
  • Relevant business managers should have access to expert technical and legal advice on the use of cryptography. (CF.08.04.05a, The Standard of Good Practice for Information Security)
  • Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by a Public Key Infrastructure to help provide effective authentication, Access Control, data encryption, digital signatures, hashing, and management of cryptographic keys. (CF.08.08.03c, The Standard of Good Practice for Information Security)
  • The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by applying strong encryption (i.e., strong cryptographic algorithms and strong cryptographic minimum key lengths). (CF.08.08.08d, The Standard of Good Practice for Information Security)
  • E-mail systems should protect messages by encrypting confidential or sensitive e-mail messages. (CF.15.01.07b-2, The Standard of Good Practice for Information Security)
  • Connections between servers (e.g., web servers) and back-office systems (e.g., application and database servers) should be encrypted (e.g., using Internet Protocol Security). (CF.04.01.07e, The Standard of Good Practice for Information Security, 2013)
  • The information security function should provide proactive support for the use of cryptography. (CF.01.02.04c, The Standard of Good Practice for Information Security, 2013)
  • Cryptography should be used across the organization to protect the confidentiality of sensitive information or information that is subject to legal and regulatory-related encryption requirements (e.g., Payment Card Industry Data Security Standard, united states Health Insurance Portability and Accou… (CF.08.04.01a, The Standard of Good Practice for Information Security, 2013)
  • Cryptography should be used across the organization to determine if critical information has been altered (e.g., by performing hash functions or digitally signing). (CF.08.04.01b, The Standard of Good Practice for Information Security, 2013)
  • Cryptography should be used across the organization to provide strong authentication for users of applications and systems (e.g., by using digital certificates and smartcards). (CF.08.04.01c, The Standard of Good Practice for Information Security, 2013)
  • Arrangements to manage cryptographic solutions should be established that include approving the use of cryptographic solutions (e.g., by executive management). (CF.08.04.04a, The Standard of Good Practice for Information Security, 2013)
  • Arrangements to manage cryptographic solutions should be established that include keeping cryptographic solutions up-to-date. (CF.08.04.04d, The Standard of Good Practice for Information Security, 2013)
  • Relevant business managers should have access to expert technical and legal advice on the use of cryptography. (CF.08.04.05a, The Standard of Good Practice for Information Security, 2013)
  • Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by a Public Key Infrastructure to help provide effective authentication, Access Control, data encryption, digital signatures, hashing, and management of cryptographic keys. (CF.08.08.03c, The Standard of Good Practice for Information Security, 2013)
  • The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by applying strong encryption (i.e., strong cryptographic algorithms and strong cryptographic minimum key lengths). (CF.08.08.08d, The Standard of Good Practice for Information Security, 2013)
  • E-mail systems should protect messages by encrypting confidential or sensitive e-mail messages. (CF.15.01.07b-2, The Standard of Good Practice for Information Security, 2013)
  • All entitlement decisions shall be derived from the identities of the entities involved. These shall be managed in a corporate identity management system. Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. (EKM-01, Cloud Controls Matrix, v3.0)
  • Monitor all traffic leaving the organization and detect any unauthorized use of encryption. (CIS Control 13: Sub-Control 13.5 Monitor and Detect Any Unauthorized Use of Encryption, CIS Controls, 7.1)
  • Use only standardized, currently accepted, and extensively reviewed encryption algorithms. (CIS Control 18: Sub-Control 18.5 Use only Standardized and Extensively Reviewed Encryption Algorithms, CIS Controls, 7.1)
  • Monitor all traffic leaving the organization and detect any unauthorized use of encryption. (CIS Control 13: Sub-Control 13.5 Monitor and Detect Any Unauthorized Use of Encryption, CIS Controls, V7)
  • Authentication Enhancements. The use of user id/password pairs is a simple way to authenticate users, but they can be compromised or guessed. There are other more secure ways to authenticate users, particularly for remote users. Authentication enhancements are needed when there exists a high possibi… (¶ 13.3.3, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Cryptography should be used to enforce high-level security objectives, such as identification and authentication, nonrepudiation, trusted path, and data separation. High-level security objectives can be implemented in hardware, software, and/or firmware. (§ 10, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. (A.18.1.5 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Cryptographic controls should be in compliance with all laws and regulations. The following items are needed to comply with cryptographic laws: restrictions on encryption; restrictions on the import/export of computer hardware and software that performs cryptography; and methods by the country to ga… (§ 15.1.6, ISO 27002 Code of practice for information security management, 2005)
  • Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. (§ 18.1.5 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. The controls should be of sufficient strength to mitigate the identified risks, whether those controls are supplied by the cloud service customer or by the cloud servic… (§ 10.1.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. (§ 18.1.5 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The security program, in relation to protecting personal information, should include methods for protecting cryptographic tools and information. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should implement procedures to define the minimum encryption levels and control levels. (Table Ref 8.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • When web services are furnished, are cryptographic controls used for the electronic commerce application (Secure Socket Layer)? (§ G.21.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are encryption tools managed and maintained for scoped data? (§ I.6, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Are encryption tools managed and maintained? (§ L.6, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • For cloud computing services, are preventative controls used to prevent the staff from accessing a client's encryption key? (§ V.1.45.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are detective controls used to prevent the staff from accessing a client's encryption key? (§ V.1.45.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are corrective controls used to prevent the staff from accessing a client's encryption key? (§ V.1.45.3, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are policy controls used to prevent the staff from accessing a client's encryption keys? (§ V.1.45.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Only approved crypto systems should be used to encrypt classified information. (§ 4-1.c, § 4-2.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must use industry standard levels of encryption and authentication for the transfer or receipt of health care information, social security numbers, financial transaction information (for example, a credit card number), or other sensitive information (Principle III.B.1, BBBOnline Code of Online Business Practices)
  • The organization may use hardware and/or software encryption methods. For hardware-based encryption, the organization may use hardware encryptors. For software-based encryption, the organization may use SSL version 3.0 or higher, standard commercial implementations of PKI implemented in SSL, S-MIME … (§ 7 (Acceptable Encryption Approaches) ¶ 2, HIPAA HCFA Internet Security Policy, November 1998)
  • The method(s) employed by all users of HCFA Privacy Act-protected and/or other sensitive HCFA information must come under one of the approaches to encryption and at least one of the authentication or identification approaches. The use of multiple authentication or identification approaches is also p… (Acceptable Approaches to Internet Usage ¶ 1, HIPAA HCFA Internet Security Policy, November 1998, Remapping)
  • CSR 10.4.3: The organization must enable and force the use of application security mechanisms, such as SSH and SSL. The organization must use CMS-approved encryption and password authentication methods, along with certificate-based authentication or additional authentication protection. CSR 10.4.7: … (CSR 10.4.3, CSR 10.4.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The information assurance manager must implement the cryptographic services with a National Security Agency approved, type 1 device for classified information systems. (§ 3.4.2.1 ¶ AC34.066, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance manager must ensure that cryptographic-based security systems have been implemented in accordance with the required vendor-supplied security policies, so the cryptographic modules satisfy the National Security Agency or Federal Information Processing Standard requirements o… (§ 3.4.2.1 ¶ AC34.067, DISA Access Control STIG, Version 2, Release 3)
  • The information assurance manager must ensure that the exchange of For Official Use Only information with contractors and vendors requires the use of Public Key Infrastructure and that only Public Key Infrastructure certificates from a Department of Defense-approved internal Certificate Authority or… (§ 3.4.2.2 ¶ AC34.090, DISA Access Control STIG, Version 2, Release 3)
  • Privileged users accessing a DoD system must have all unclassified data encrypted with FIPS 140-2 validated encryption methods and classified data encrypted with Type I encryption. End-user access should be encrypted. Web browsers must support 128-bit encryption. Government data on remote devices mu… (§ 2.1, § 5.3, § 5.6, § 6.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • § 2.3 Broadband or high-speed connections used for Remote Access, Mobile Access and Telework, introduces a greater risk of an attack compared to dial-up connections since users are connected for much longer periods and these connections often use static IP addresses provided by Internet Service Pro… (§ 2.3, § 4.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • The wireless LAN (WLAN) encryption modules for data-in-transit should meet the FIPS 140-2 Level 1 requirements, at a minimum, and the information assurance component should be validated as either basic or medium robustness in the NIAP Common Criteria. If the WLAN infrastructure is in an unprotected … (§ 3.1 (WIR0270), § 4.2 (WIR0378), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • § 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented. App B.3 Row "Enable Encryption", located under Policy Manager/General Settings, should be checked Enable. App B.3 Row "Encryption Method", located under Policy Manager/General Settings, should be a… (§ 2.2 (WIR2250), App B.3 Row "Enable Encryption", App B.3 Row "Encryption Method", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The Records Management Application shall provide 128-bit encryption, be Public Key Infrastructure-enabled, and all mandatory access controls, if the application provides a web user interface. (§ C2.2.7.4, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • National Institute of Standards and Technology Federal Information Processing Standard 140-2 validated cryptography must be used for implementing key exchange, encryption, hashing, and digital signatures, and newer standards should be used when they are available. (DCNR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Commercial off the shelf products that are used to protect National Security Information using cryptography may be required to use National Security Agency-approved key management techniques. (DCSR-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • § 170.210(a): Electronic health information that is created, maintained, and exchanged must use an encryption algorithm that is an approved security function in Annex A of Federal Information Processing Standards (FIPS) Publication 140-2. § 170.302(u): Complete electronic health records (EHRs) or … (§ 170.210(a), § 170.302(u), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
  • The use of strong encryption is encouraged. (Pg 47, The National Strategy to Secure Cyberspace, February 2003)
  • The agency shall enable user authentication and encryption mechanisms for the access points' management interface. (§ 5.5.7.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall follow the electronic storage encryption requirements for controlled areas as stated in section 5.10.1.2. (§ 5.9.2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The cryptographic module used for encryption shall meet the Federal Information Processing Standards 140-2 requirements. (§ 5.10.1.2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Criminal justice information that is transmitted by fax is exempt from the encryption requirements. (§ 5.10.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • With prior approval of the CSO. (§ 5.10.1.2.1 ¶ 1 ¶ 1(2)(e), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Integrate additional authentication and encryption controls, as necessary. (App A Objective 6.27.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should use encryption to secure data transmissions. (Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • Provides a generous amount of general information on the use of encryption to protect sensitive information from unauthorized access. (AC-3.3, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must implement Federal Information Processing Standard 140-2 validated cryptography for service offerings that include Software as a Service with e-mail. (Column F: AU-10(5), FedRAMP Baseline Security Controls)
  • The service provider must support the production, control, and distribution of asymmetric cryptographic keys. (Column F: SC-12(5), FedRAMP Baseline Security Controls)
  • Cryptographic modules must be compliant with NIST guidance. When cryptography is used, it must be in compliance with all applicable laws, regulations, standards, and guidance. (§ 5.6.7, Exhibit 4 IA-7, Exhibit 4 SC-13, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are digital signatures used to authenticate the Credit Union? (IT - Authentication Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the hosting certificates properly procured and stored? (IT - Authentication Q 28, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the encryption methodology tailored to specifically protect sensitive data? (IT - Security Program Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union use end-to-end encryption? (IT - WLANS Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • If an IdP discloses information on subscriber activities at an RP to any party, or processes the subscriber's information for any purpose other than identity proofing, authentication, or attribute assertions (collectively "identity service"), related fraud mitigation, to comply with law or legal pro… (5.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • At any FAL, the IdP SHALL ensure that an RP is unable to impersonate the IdP at another RP by protecting the assertion with a signature and key using approved cryptography. If the assertion is protected by a digital signature using an asymmetric key, the IdP MAY use the same public and private key p… (4.1 ¶ 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • If the organization uses PKI, the PKI certificate policy and certification practice statement should be developed or updated to include WLANs. The organization should ensure an appropriate EAP method, based on the organization's requirements, has been selected for WLAN authentication. Handheld devic… (Table 8-1 Item 8, Table 8-2 Item 18, Table 8-4 Item 44, Table 8-4 Item 45, Table 8-5 Item 56, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • The organization shall implement the cryptographic algorithm and a law enforcement access field (LEAF) creation method in an electronic device that is highly resistant to someone obtaining or modifying the cryptographic algorithm, the device unique identifier (UID), the device unique key (KU), the c… (§ 5 ¶ 1, FIPS Pub 185, Escrowed Encryption Standard (EES))
  • The signatory's public key and identity, and the domain parameters shall be available to the verifier in an authenticated manner before the signature of a signed message can be verified. (§ 4.7 ¶ 2, FIPS Pub 186-3, Digital Signature Standard (DSS))
  • An organization within the federal government is required to use DES for applications that require cryptographic processing of sensitive unclassified information. (§ 7.2, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • § 2.2.3 ¶ 4: The organization is required to use the Data Encryption Standard (DES), FIPS 46-2, to encrypt sensitive but unclassified information (except for Warner Amendment information), unless the head of the federal agency has granted a waiver. § 2.2.3 ¶ 5: The organization should use FIPS 1… (§ 2.2.3 ¶ 4, § 2.2.3 ¶ 5, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • To acceptably implement this standard's requirements, the organization must adhere to the following criteria: it must use a FIPS approved digital signature algorithm to generate and/or verify digital signatures; it must generate (pseudo)random numbers with a FIPS approved (pseudo)random number gener… (§ 2.1.1, FIPS Pub 196, Entity Authentication using Public Key Cryptography)
  • Calls for Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational informatio… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • § 5.4.1: Certification authorities (CAs) shall participate in the hierarchical public key infrastructure (PKI) for the Common Policy managed by the federal PKI, if they issue certificates for supporting personal identity verification (PIV) card authentication. § 5.4.3: At a minimum, certification … (§ 5.4.1, § 5.4.3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • While encryption can provide strong access control, it is accompanied by the need for strong key management. All keys need to be managed against modification, and secret keys and private keys need protection against unauthorized disclosure. Key management involves the procedures and protocols, both … (§ 3.12.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records, documents, and the system configuration should be examined to ensure the requirements of FIPS 140-2 are met when authenticating a cryptographic module; all cryptography complies with laws, regulations, directives, and standards; the authentication methods are clearly identifi… (IA-7, SC-13, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • If Bluetooth is using multi-hop wireless communications, encryption should be enabled for every link. All broadcast transmissions should be encrypted; this can be accomplished by enabling Encryption Mode 3. Communications between the Smart Card Reader and the host device should be accomplished by Bl… (Table 4-2 Item 15, Table 4-2 Item 17, Table 4-4 Item 1, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Decrypt seized data using technical means. (T0049, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Enable applications with public keying by leveraging existing public key infrastructure (PKI) libraries and incorporating certificate management and encryption functionalities when appropriate. (T0416, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The smart grid Information System must protect the integrity of information that is communicated electronically. (SG.SC-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must ensure the integrity of information by using cryptographic mechanisms. (SG.SC-8 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System should maintain information integrity while preparing for transmission. (SG.SC-8 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must prevent the unauthorized disclosure of information during transmission with the use of cryptographic mechanisms. (SG.SC-9 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should encrypt or store off-line, in a secure location, user information and system information. (App F § AC-3(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use Federal Information Processing Standard-approved cryptography to protect unclassified information. (App F § SC-13(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support cryptographic mechanisms for protecting the integrity and confidentiality of wireless access or cannot use cryptographic mechanisms due to significant… (App I § AC-18 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should carefully consider the use of cryptography for wireless access based on the security needs and the potential ramifications on system performance on an Industrial Control System. (App I § AC-18 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Cryptography should be used on an Industrial Control System only after careful consideration of the potential ramifications on system performance and security needs. (App I § IA-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The use of cryptography for transmission integrity on an Industrial Control System should be determined after careful consideration of the security needs and potential ramifications on system performance. (App I § SC-8 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The use of cryptography for transmission confidentiality on an Industrial Control System should be determined after careful consideration of the security needs and potential ramifications on system performance. (App I § SC-9 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The use of cryptography, including key management, on the Industrial Control System should be determined after careful consideration of the potential ramifications on system performance and the security needs. (App I § SC-12, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The use of cryptography on the Industrial Control System should be determined after careful consideration of the potential ramifications on system performance and the security needs. (App I § SC-13, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. (SC-13 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4, Remapping)
  • The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. (SC-13 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4, Remapping)
  • The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. (SC-13 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4, Remapping)
  • The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by {organizationally documented alternative physical safeguards}. (SC-8(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by {organizationally documented alternative physical safeguards}. (SC-8(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. (SC-8(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Remapping)
  • The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. (SC-8(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Remapping)
  • The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. (SC-13 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Remapping)
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered acce… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 2, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(3), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)