Government of Ontario IT Standard (GO-ITS) Number Security Requirements for the Use of Cryptography

Size: px
Start display at page:

Download "Government of Ontario IT Standard (GO-ITS) Number 25.12 Security Requirements for the Use of Cryptography"

Transcription

1 Government of Ontario IT Standard (GO-ITS) Number Security Requirements for the Use of Cryptography Version #: 1.2 Status: Approved Prepared under the delegated authority of the Management Board of Cabinet UNCLASSIFIED Queen's Printer for Ontario, 2012 Last Review Date:

2 Foreword Government of Ontario Information Technology Standards (GO-ITS) are the official publications on the guidelines, preferred practices, standards and technical reports adopted by the Ontario Public Service under the delegated authority of the Management Board of Cabinet (MBC). These publications support the responsibilities of the Ministry of Government Services (MGS) for coordinating standardization of Information & Information Technology (I&IT) in the Government of Ontario. Publications that set new or revised standards provide enterprise architecture guidance, policy guidance and administrative information for their implementation. In particular, GO-ITS describe where the application of a standard is mandatory and specify any qualifications governing the implementation of standards. All GO-ITS 25 Standards are based on the work of recognized global authorities in information and operational security, both in government and industry. Copies of cited GO-ITS standards may be obtained as follows: Intranet: Internet: Summary The Corporate Policy on Information and Information Technology Security requires that Government of Ontario employees protect information that is received, created, held by, or retained on behalf of, Ontario ministries and agencies. Programs are responsible for the implementation of appropriate safeguards, based on an assessment of the risks involved. Cryptography is an industry standard practice for the protection of data confidentiality and integrity. All Government of Ontario staff members are required to be aware of the sensitivity of program information, and the practices and safeguards needed to ensure the ongoing security of information. The MGS Corporate Security Branch (CSB) is the cryptographic authority for the Government of Ontario. UNCLASSIFIED 2

3 Version control and change management Date Version Author Comment September 17, Tim Dafoe, CSB Endorsed by IT Standards Council October 16, Tim Dafoe, CSB Approved by Architecture Review Board October 24, Tim Dafoe, CSB Changes per document history March 9, 2012 Tim Dafoe, CSB Updated, changes per document history June 12, 2012 Tim Dafoe, CSB Updated as per SADWG input November 15, Tim Dafoe, CSB Updates approved by Information Technology Executive Leadership Council (ITELC). Approved document version number set to 1.2 Ongoing ownership and responsibility for maintenance and evolution of this document resides with the Corporate Security Branch, Office of the Corporate Chief Information Officer. The Corporate Security Branch will provide advice on the interpretation and application of these security requirements and manage any updates to the document when the need arises. Contact information If you have questions or require further information about this document or the GO-ITS 25 series, please contact the following Corporate Security Branch staff: Contact 1 Contact 2 Name/Title Charlotte Ward, Manager, Policy & Administration Tim Dafoe, Senior Security Policy Advisor Organization/Ministry Ministry of Government Services Ministry of Government Services Division OCCIO OCCIO Branch Corporate Security Branch Corporate Security Branch Section/Unit Policy & Administration Security Policy Office Phone (416) (416) UNCLASSIFIED 3

4 Table of Contents 1. INTRODUCTION Purpose of the standard Terms Application and scope Out of scope Background Principles REQUIREMENTS Education and training Information in storage Communications security Management of cryptography RESPONSIBILITIES ACKNOWLEDGEMENTS DOCUMENT HISTORY APPENDIX A: APPROVED ALGORITHMS AND PROTOCOLS APPENDIX B: DEFINITIONS APPENDIX C: ACRONYMS APPENDIX D: ADDITIONAL INFORMATION...29 UNCLASSIFIED 4

5 1. INTRODUCTION This document is one in a series that defines operational principles, requirements and best practices for the protection of Government of Ontario networks and computer systems. 1.1 Purpose of the standard This document outlines the context and requirements for appropriate use of cryptography within the Government of Ontario. The objective of this document is to ensure that cryptography of an appropriate type and strength is employed to protect Government of Ontario I&IT resources. This document has been produced in consultation with stakeholder groups (primarily from privacy and security centres of excellence) within the Government of Ontario. It makes reference to the section Information systems acquisition, development and maintenance from the ISO/IEC 27002:2005 code of practice, and technical requirements within are stated in accordance with both ISO/IEC 27002:2005 recommendations and external guidance received by CSB. 1.2 Terms Within this document, certain wording conventions are followed. There are precise requirements and obligations associated with the following terms: Must Should The requirement is mandatory. Without it, the system is not considered secure. The requirement ought to be adhered to, unless exigent business needs dictate otherwise and the full implications of non-compliance are understood. All exceptions are to be documented and approved in writing by management, identifying the rationale for the exception to standard practice. 1.3 Application and scope GO-ITS 25 Security requirements apply to all vendors, ministries, former Schedule I and IV agencies, and third parties (including any information technology system or network that processes ministry and agency information) under contract to the Ontario government, unless exempted in a Memorandum of Understanding. All cryptographic mechanisms protecting Government of Ontario I&IT resources must adhere to the requirements in this document (e.g., approved cryptographic algorithms, key lengths, and related protocols). Please consult Appendix A of this document for specific information. UNCLASSIFIED 5

6 For security involving sensitive information 1, if it becomes known that sensitive information is deemed to be at serious risk, immediate remedial action must be taken to mitigate the risk by applying appropriate tools, methods, and procedures as per the relevant GO-ITS security document. As new GO-ITS standards are approved, they are deemed mandatory for all project development and procurement opportunities. The GO-ITS Security Requirements for the Use of Cryptography must be understood to apply to: All entities identified above and/or which use the Government of Ontario Integrated Network; and All information for which the Government of Ontario is accountable, during any type of transmission or transport, and while stored on any type of computing equipment or data storage device. For the purposes of this document all references to information refer to digital information and data. The MGS Corporate Security Branch should be contacted if application of this standard is not clear relative to a given environment, program, or application. 1.4 Out of scope This document does not provide requirements for the registration of individuals or devices for the issuance of cryptographic keys, or describe specific password or pass phrase requirements for the protection of keys or related access controls. Such controls are addressed in separate documents. Enterprise key management policies, requirements, and strategies for the Government of Ontario are described in additional documentation (e.g., GO-PKI Certificate Policy). Questions about out of scope items should be directed to the contacts for this document. 1.5 Background The Management and Use of Information & Information Technology Directive and the Information Security and Privacy Classification (ISPC) Policy require that the confidentiality, integrity, availability and reliability of information and information systems are safeguarded. Cryptography is the industry standard means to assure the confidentiality and integrity of sensitive information, and is referenced in the ISO/IEC 27002:2005 code of practice. Cryptography is also commonly used to provide for reliable message authentication 2, and enable the use of secure digital signatures 3. Proper use of cryptography produces a result 1 As determined via the Government s Information Security and Privacy Classification (ISPC) policy (http://intra.ops.myops.gov.on.ca/cms/tiles.nsf/(vwreadresourcesbyrefid_content)/cpd PSU_res/$File/InformationSecurity&PrivacyClassificationPolicy-Aug05.pdf) and/or TRA process. 2 Message authentication codes involve the use of cryptography to detect both accidental (e.g., errors) and intentional (e.g., attacks) modifications to transmitted information. UNCLASSIFIED 6

7 where it is computationally infeasible for attackers to compromise the confidentiality and/or integrity of the information, communication, or exchange that has been protected. Three cryptographic techniques in particular are widely used for these purposes: Symmetric key (or secret key) techniques involve a single key that is used both to encrypt and decrypt information. This key is shared out of band to authorized recipients, via an alternate secure channel. The key is otherwise kept secret and protected from unauthorized access. Symmetric key techniques are primarily used as a tool to ensure confidentiality. Asymmetric key (or public key) techniques assign unique key pairs to each user; a key pair consists of a public encryption key that can be revealed to anyone (even over insecure channels, useful when no secure channel is available), and a private decryption key that is never shared, and must be kept secret. Hash Functions map variable length input (e.g., a file or piece of data) to a fixed length bit string. Hash functions must be collision resistant (e.g., sets of unique input data must not produce the same output result) to provide for security. Secure hash functions are primarily used as a tool to assure data integrity (e.g., detection of errors, modifications, and/or corruption for data in storage or transmission). The main advantages of asymmetric cryptography include support for digital signatures, and practical key management within large groups of users (in particular, the ability to manage and distribute unique public keys over public networks). The primary advantage of symmetric cryptography is its high speed of operation (as implementations of symmetric cryptography typically offer significantly higher performance, given identical resources), and low overhead for the distribution of shared keys within small groups of users (or devices). In general, asymmetric cryptography should be used for an open multi-user environment, or public infrastructure where secure out of band channels are not available or economically feasible. The overhead associated with the use of symmetric cryptography in such environments (e.g., the protection of secret keys while they are being shared and distributed) can quickly become difficult to manage. Asymmetric and symmetric cryptography are frequently used in concert to obtain the key management advantages of a public key system, and the computational advantages of symmetric encryption. For example, an asymmetric system can be used to authenticate identities and to protect the transmission of symmetric keys over insecure media, which are used in turn to quickly encrypt large amounts of information (via a symmetric block cipher). In situations where symmetric keys can be readily and securely managed, symmetric cryptography alone may be sufficient (e.g., within small environments or for a small number of managed devices with static key configuration and a secure keying method). 3 Digital signatures are used to authenticate the identity of an individual either prior to providing access to information or services, or subsequently, to verify the author/source of a document or transaction (e.g., non-repudiation). Digital signatures can also be used to detect unauthorized changes to a document or transaction (e.g., electronic payments, funds transfers, contracts). UNCLASSIFIED 7

8 1.6 Principles The following guiding principles support, and are stated in accordance with, the Corporate Policy on Information and Information Technology Security and the ISPC policy: Cryptography alone cannot address the entire range of security concerns associated with the storage, processing, and transmission of sensitive information 4 ; its use does not diminish the need for Program Managers to ensure that formal, documented risk assessments are conducted, employees are trained, and appropriate physical and logical access controls are implemented to protect Government assets; The Government of Ontario retains ownership of cryptographic keys that it has created, or otherwise relies upon, to protect Government information; The secure management of cryptographic keys is essential to the effective use of cryptographic techniques. Any compromise or loss of key material may lead to a compromise of the confidentiality, integrity, and availability of information; Confidence in the strength of a given cryptographic system generally decreases with the passage of time, as both the efficacy of techniques and processing power available to potential attackers are likely to increase; Program Managers have a responsibility to ensure that all legislative/regulatory and legal discovery requirements applicable to their operations can be satisfied when data encryption is deployed as a technical safeguard; The use of encryption should not disrupt other critical security mechanisms and processes (e.g., implementation of security patches or software upgrades), nor should it create unintentional and adverse impact to the availability of time-critical information (e.g., in emergency situations); and Cryptographic material (e.g., a key) intended to protect sensitive information will require protection itself, at a level commensurate with the sensitivity of that information. 4 Sensitive information refers to sensitivity as defined within ISPC policy. UNCLASSIFIED 8

9 2. REQUIREMENTS Cryptographic material must be securely protected and managed. This includes secure processes for the issuance, renewal, revocation, destruction, and recovery of cryptographic keys. The following requirements are mandatory for all cryptographic implementations and technology deployments governed by this document: 2.1 Education and training Technical staff that develop, implement, and/or manage systems must be aware of the requirements regarding the use of cryptography as described in this document. All Government staff must be aware of the sensitivity of program information and the procedures and practices (e.g., ISPC Policy) needed to protect sensitive information, including relevant legislative requirements or directives. 2.2 Information in storage Sensitive electronic information that requires a significant degree of protection as stated within ISPC policy and procedures should be encrypted in storage, or when operationally feasible, stored as a hash 5. The Privacy Impact Assessment (PIA) or TRA for the relevant program area may also indicate that an enhanced level of cryptographic protection is required for high-risk environments (please consult Appendix A of this document). Encrypted sensitive information held as data in storage for more than two years 6 must be encrypted in a manner suitable for a high-risk environment (see Appendix A). If the responsibility for encrypted information is transferred to a different organization, and access by the previous owner is no longer authorized, the transferred information must be encrypted with a new key by the new organization/custodian. Digital signatures should be applied to stored information when needed to address risks relating to integrity and/or non-repudiation (as determined by a TRA or through other means). Digital signature implementations should include the use and checking of timestamps generated from a validated time source. If practical, a central, securely managed automatic encryption mechanism (e.g., an application intended for this function) should be used to encrypt sensitive information. The following additional requirements apply to specific modes of storage: 5 Hashes are commonly used to store password values, but can also be considered for other types of sensitive information if a comparison operation with a hash value will be sufficient for the business operation, and the information itself need not be stored. Additional measures (e.g., salting, iteration) may be required to provide for adequate security when this technique is used. 6 When systems are migrated to new technologies, compatibility issues may be introduced for encrypted information in long-term storage (e.g., archives); such eventualities should be identified and addressed. UNCLASSIFIED 9

10 2.2.1 Mobile devices Government of Ontario mobile devices (e.g., portable computers and removable media) intended to process or store sensitive information must incorporate functionality whereby the entirety of device storage capacity can be encrypted. Mobile encryption systems must be centrally managed. Such systems must be endorsed by CSB for such use with the Government of Ontario, must offer comprehensive protection via cryptographic and other security mechanisms, and must be suitable for high-risk environments. Refer to GO-ITS Security Requirements for Mobile Devices for additional direction Desktop computers Government desktop computers are typically not adequately protected against high resource threat agents (e.g., a focused and determined electronic attacker such as an organized, funded group). Their local storage capacity should not be used to store sensitive information. If operations requirements are such that it is necessary to store sensitive information on a desktop computer, the information must be encrypted using an encryption mechanism specifically endorsed by CSB for this purpose, and additional security measures may be required for high-risk environments Data repositories Sensitive information must be encrypted at the data field level before it is written to a data repository, when such protection is required by ISPC or a TRA. When operationally feasible, hashes of sensitive information should be used for comparisons and verification (thereby avoiding storage of the actual sensitive information). Such hash values must be generated using a secure hash function endorsed by CSB (see Appendix A). When deploying encryption within data repositories, careful consideration should be given to any limitations present within the encryption options, and any impact on software development, deployment, performance, administration, or legal duties. 2.3 Communications security Sensitive information must be safeguarded when transmitted. UNCLASSIFIED 10

11 2.3.1 General transmission and communication Sensitive information must be encrypted using appropriate means (see Appendix A) for all types of communications, other than those that occur within the same designated Security Zone (and do not employ wireless technology). Wireless transfers of Government of Ontario information using lightweight protocols and/or external services (e.g., mobile wireless data 7, satellite, or Bluetooth) must be further encrypted using approved means (see Appendix A) during data communications, unless a specific, secure service has been endorsed by CSB for use. Adequate cryptographic functionality is present in some wireless protocols, and should be investigated prior to deployment. The integrity of sensitive data, business information, or transactions sent via a wireless protocol, or that crosses a managed perimeter boundary in either direction, must be verified using an approved message authentication code (e.g., HMAC) or a digital signature upon receipt. This functionality is present in many such systems, and should be investigated prior to deployment. Digital signatures must be used if the identified integrity requirements (e.g., documented in a TRA) include support for high-risk environments and/or non-repudiation, even if sensitive data does not cross the managed perimeter boundary. This functionality is available in several existing messaging protocols, and should be investigated prior to deployment. Digital signature implementations must include the use and checking of an accurate timestamp from a validated and redundant time source Mainframe communications Mainframe SNA traffic (such as SNA over IP) must be encrypted within the Government of Ontario if the communication includes sensitive information, and does not occur within the same designated Zone (e.g., via a dedicated physical connection). 2.4 Management of cryptography Cryptography must be appropriately deployed and managed if it is to be effective. All cryptographic schemes and internal key management procedures deployed within the Government of Ontario must be managed and documented. 7 Wireless cellular data communications (e.g., those associated with GSM, CDMA protocols) do not provide for an adequate degree of communications security, and must not be relied upon to safeguard confidentiality. UNCLASSIFIED 11

12 2.4.1 Procurement of cryptography All products supporting cryptography that are procured for use within the Government of Ontario must comply with the requirements in this document. Other relevant sources of information may be consulted for general guidance (e.g., CAVP standards, CMVP FIPS evaluations, and ISO/IEC 19790:2006). Cryptographic products must be configurable using administrator-controlled rules including: Specific cryptographic algorithm(s), mode of operation, and the minimum effective key lengths to be used; and Password and authentication schemes that meet the security requirements described in GO-ITS Security Requirements for Password Management and Use Deployment of cryptography Cryptographic mechanisms within the Government must be deployed and configured in compliance with the requirements in this document (please consult Appendix A), applicable implementation standards, and any requirements mandated through the TRA process. CSB should be consulted to determine how best to address security requirements. The ability to modify the configuration of cryptographic mechanisms must be restricted to qualified and specifically authorized administrators. Cryptographic mechanisms deployed for users, applications and services must be kept current and updated when necessary to address vulnerabilities, as advised by CSB. All applications and services using cryptography must: Employ a random number generation (RNG) or high-quality pseudo-random number generation (PRNG) implementation considered (and validated, in highrisk environments) to be cryptographically adequate (consult CMVP materials, FIPS and ISO/IEC 18031:2011 for more information); Check the validity of certificates, and not use certificates that are revoked, expired, or otherwise invalid; and Securely delete decrypted information retained in temporary memory and/or caches immediately upon completion of the related transaction or activity. Applications and services that provide access to sensitive information must undergo security testing and evaluation (STE) prior to implementation, and when changes are made that may introduce vulnerabilities Development of cryptography Ministries and agencies of the Government of Ontario must not develop any type of unique or proprietary cryptographic algorithm, protocol, RNG, PRNG, or cryptographic implementation for the purpose of safeguarding information; all cryptography used to secure Government of Ontario I&IT assets within the scope of this document must be UNCLASSIFIED 12

13 acquired via peer-reviewed, industry standard products, software, or services endorsed by CSB. Such products, software, and services must meet the requirements in this document, and be procured through appropriate channels Protection of cryptographic material Access to cryptographic material must be limited to its intended use and restricted to authorized entities (e.g., an individual, application, or service). Cryptographic material for Government use and all technology used for its generation, transmittal, use, storage, and disposal must be protected using physical, network, and personnel security measures, in addition to other applicable security guidance. Cryptographic keys must be protected to a degree commensurate with the sensitivity of the information they are intended to protect, while in storage or in transit. The integrity of the material should be confirmed prior to each use (e.g., validation of a digital signature or MAC). Keys or certificates must be generated by the Government of Ontario, or supplied by an organization endorsed by CSB as a provider of cryptographic services (see the section entitled Management of Cryptographic Services). Keys should be generated via a secure module (e.g., FIPS level 2 or better) where possible. If cryptographic material protecting sensitive program information is assigned to an entity other than a person (e.g., an application or service): A responsible, accountable custodian role must be devised and assigned for the protection of the key material, and to ensure that it is deployed in compliance with applicable requirements; Protection of the assigned cryptographic material must be changed when a new individual is appointed (e.g., the previous appointee or custodian must no longer have access); The Program Manager must be aware of the current appointee s contact information and responsibilities, and the other positions that require access to the cryptographic material to fulfill their responsibilities (e.g., members of operations units); and The appointee must document all access to the cryptographic material (by name of the individual granted access) and must take caution and/or measures to prevent access by an individual who is no longer authorized. Access documents and logs must be regularly reviewed and subject to audit Key management Internal key management procedures must be developed for all applications employing cryptographic systems for the protection of sensitive information. These procedures must address separation of duties, re-keying requirements, key generation, key assignment, revocation processes (including related timelines), secure distribution, and secure destruction of cryptographic material. UNCLASSIFIED 13

14 Cryptographic keys issued for test purposes must not be used in a production environment, and production cryptographic keys must not be used in a test environment. Internal staff responsible for the issuance and/or management of cryptographic keys should be organizationally separated from operations (e.g., separation of duties) and must possess a valid Government of Ontario Personnel Screening result Recovery of encrypted information The cryptography service must include a secure mechanism for the recovery of symmetric and asymmetric decryption keys when needed to recover encrypted information in storage (e.g., lost password, departing employee, corrupted key, legal discovery requirements, or forensics investigation). Government of Ontario key material must not however be held in escrow by a third party (please see definition of key escrow in the glossary for this document). The potential for regulatory and/or legal obligations to provide information that may have been encrypted must be considered for all encryption systems. Decryption keys must be recoverable after their expiry or termination to enable the future decryption of information, including archived back-ups. Only the user or the responsible area Director may request recovery of encrypted information. The identity of the requester must be verified before the recovery is carried out. The responsible Director must confirm the legitimacy of requests for access to encrypted information (e.g., court order or other authority) before requesting recovery. If the recovery of encrypted information causes the generation of an identity credential under the user's name, the recovery procedure must prevent the use of the identity credential by anyone other than the user. A secure self-recovery mechanism endorsed by CSB should be provided for users to recover encrypted material themselves when they cannot recover (or remember) their credentials (e.g., without interactive assistance from an administrator or help desk) Management of cryptographic services An organization that provides cryptographic services for the Government of Ontario must establish and adhere to operating policy and procedures that comply with the requirements in this document, and other relevant government security standards and policies (e.g., other GO-ITS 25 series standards, and ISPC). UNCLASSIFIED 14

15 3. RESPONSIBILITIES Users All Government of Ontario employees and staff using I&IT resources are responsible for: Complying with directives, policies and agreements when accessing or using Government of Ontario information, equipment and services; Understanding information sensitivity and their duties to protective sensitive information as per the ISPC policy and operating procedures; Using the cryptographic technology provided to them for the protection of Government information; and Reporting any suspected security breaches to the IT Service Desk. Program managers Program managers are responsible for: Being aware of any custodian roles within their area; Maintaining relevant contact information and organizational details regarding those interacting with custodians; Ensuring ISPC compliance and the completion of PIA and TRA work products; Ensuring required security safeguards are in place to protect Government of Ontario information, including additional safeguards recommended and approved via the PIA and TRA processes; and Reporting any security exposures or suspected security incidents. Directors Directors are responsible for: Ensuring that staff members are aware of and adequately trained in their responsibilities as set out in this document, ISPC, and other relevant policies and standards; Ensuring that agreements with consulting firms and service providers include provisions that outline the organization s responsibilities for the cryptographic protection of Government I&IT resources; Ensuring required security safeguards are in place to protect Government of Ontario information, including additional safeguards recommended and approved via the PIA and TRA processes; Initiating and managing requests for recovery from encryption keys; Confirming the legitimacy of any such requests that originate from within their area; and Reporting any security exposures or suspected security incidents. UNCLASSIFIED 15

16 I&IT clusters The I&IT clusters are responsible for: Supporting Program Managers and Directors in ensuring that Government information is protected by appropriate security safeguards, and in accordance with ISPC requirements; Working with relevant CSB Cluster Service Liaison staff when appropriate; Procuring, deploying and maintaining information technology products that incorporate cryptographic components, in compliance with these requirements; Ensuring that applications and services appropriately employ cryptography in compliance with these requirements; Providing users with instruction and support; Supporting security incident reporting and handling procedures as required; Ensuring that agreements with service providers address security requirements; and Monitoring for compliance with this document. Infrastructure Technology Services (ITS) ITS is responsible for: Ensuring that agreements that they enter into with cryptographic service providers will address the requirements in this document; Monitoring provided services for compliance with the requirements in this document; and Operation of the IT Service Desk, and provision of assistance to clients. Custodians Any appointed custodian of cryptographic material is responsible for: Ongoing management and due protection of any key material assigned, at an appropriate level, given the role of the assigned material and sensitivity of associated protected information; Formally documenting all access to the protected cryptographic material, subsequent to validation of all requests to ensure they are authorized; Review of access and other logs associated with assigned material; Appropriate management of responsibilities, including access to audit, and relinquishing the custodian role to any appointed replacement custodian as required; and Reporting any security exposures or suspected security incidents. Cryptographic service providers Any Cryptographic service provider to the Government of Ontario is responsible for: UNCLASSIFIED 16

17 Establishing and adhering to operating policy and procedures that comply with this standard, relevant Government directives and policies, and applicable industry standards and practices; Due diligence in the operation of all systems and processes related to the cryptographic services and techniques provided; and Accommodation of audit to validate sound operation of systems and processes, and due co-operation regarding disclosure of practices and documentation. Corporate Security Branch The MGS Corporate Security Branch is responsible for: Authorship of security policies and standards for the Government of Ontario, subject to appropriate approval; Securely managing and operating the Certificate Authority for the Government of Ontario PKI service (GO-PKI) for the Ontario Public Service (OPS) and its service partners; Monitoring the evolution of technology and products, assessing their strengths and vulnerabilities, and endorsing cryptography for Government use; Supporting procurement processes for and evaluation of cryptographic products for the OPS; Advising appropriate levels of protection to address business risks relative to identified threats, and identifying technology best suited to address such security and business requirements; Providing timely guidance on the deployment and use of security products and services to OCCIO ITS and the I&IT Clusters; Maintaining relevant policies and procedures, such as the Information Security and Privacy Policy and related documentation; Monitoring compliance with security requirements and obligations in conjunction with OCCIO ITS and the I&IT Clusters; and Liaising with cryptographic and security authorities at other levels of Government. Ontario Internal Audit The Ontario Internal Audit Division is responsible for: Conducting periodic audits of pertinent activities to test compliance with security standards; Communicating with appropriate management about the risks identified and the severity of those risks; and Working with management to identify the needed management action plans to mitigate the risks noted during the course of an audit and conducting follow-up as required. UNCLASSIFIED 17

18 4. ACKNOWLEDGEMENTS 4.1 Editors Full Name Cluster, Ministry and/or Area Tim Dafoe MGS Corporate Security Branch 4.2 Contributors Full Name Cluster, Ministry and/or Area Earl Kuntz MGS Corporate Security Branch 4.3 Consultations The following individuals were consulted: Charlotte Ward, MGS Corporate Security Branch Pat Antliff, MGS Corporate Security Branch Muriel Petersen, MGS OCIPO Lynette Craig, MGS OCIPO Brady Thompson, MGS OCIPO 4.4 Reviewers The following groups have reviewed this standard: Security Architecture Domain Working Group UNCLASSIFIED 18

19 5. DOCUMENT HISTORY Endorsed: IT Standards Council Approved: Architecture Review Board Revised: Updated to enhance technical specificity; document version set to Version 1.1: o Document aligned with GO-ITS o o Revised: Updated protocol versions and requirements Updated definitions and added glossary items General update; document version set to Version 1.2: o o o o o Revised: Updated roles and responsibilities Updated hyperlinks to directives and policies and document titles Updated ISO/IEC references Updated protocol versions and requirements Updated Appendix A table Minor update as per SADWG input o o o Revised: Clarified wording Adjusted presentation of Appendix A table Updated roles and responsibilities Approved by Information Technology Executive Leadership Council (ITELC). Approved document version number set to 1.2 o Updated document information UNCLASSIFIED 19

20 APPENDIX A: APPROVED ALGORITHMS AND PROTOCOLS Cryptographic algorithms The cryptographic algorithms, key lengths, and operating modes approved for Government of Ontario use are listed below, including those required for high-risk situations as determined by a TRA. 8 When determining the cryptographic requirements for the system, consideration must be given not only to the present extent of identified risk, but also the anticipated lifetime of the system and resulting retention of associated information. Table 1: Approved cryptographic algorithms and minimum strengths / key lengths Type Approved Algorithms Required Strength Minimum Requirement High-risk Situations Additional Requirements / Comments Symmetric Cryptography Triple DES (3DES) (FIPS WITHDRAWN) Must use 3 distinct 56 bit keys (EDE3) Should not use 3DES Use AES for all new implementations. CAST5-128 (RFC 2144) is an acceptable alternative to AES-128 if the latter presents an implementation challenge for a particular system. Applications using 3DES or unapproved algorithms (e.g., DES) should migrate to AES wherever practical. AES (FIPS 197) bit DES keys are effectively 56 bits long; this reduction in effective length similarly impacts 3DES implementations and should be considered prior to deployment. RSA (ANSI X9.31 / FIPS 186-3) Non-compliant implementations should be migrated wherever practical. Asymmetric Cryptography DSA (FIPS / (ANSI X9.42) L = 2048 N = 224 L = 3072 N = 256 The symbols L and N refer to public and private DSA key lengths respectively. ECC (ANSI X9.62 & 9.63 / FIPS / SP ) P-256 B-283 P-384 B-409 The minimum key length for Elliptic Curve systems depends on whether the curve is defined over a prime (P) or binary (B) field (e.g., P-xxx, B-xxx). Deploy validated and cryptographically secure implementations only. Consult CSB for use of other curves. Secure Hash Functions Digital Signatures and Hashes (FIPS 180-4) SHA-256 or stronger SHA-256 or stronger Legacy hash function implementations (e.g., MD5) must be migrated whenever practical to SHA-256 or stronger. MD5 should be considered deprecated. New implementations should not use SHA-1. The risk of hash collisions must be assessed and addressed appropriately. 8 Special purpose cryptography may be endorsed by CSB for specific use and/or high-risk environments. UNCLASSIFIED 20

21 Type Approved Algorithms Required Strength Minimum Requirement High-risk Situations Additional Requirements / Comments Message Authentication Codes HMAC (ANSI X / FIPS 198-1) CBC-MAC / CMAC / CCM (SP A/B/C) SHA-256 or stronger SHA-256 or stronger Consult Symmetric Cryptography entries for approved key lengths. AES should be used as the block cipher for MAC operation wherever practical. New HMAC implementations should not be based on SHA-1. The cryptographic strength of HMAC depends on the underlying hash function. The same symmetric key should not be used for encryption and MAC operations that are performed separately. CCM is a component within the i standard for wireless LAN authentication & encryption. Modes of operation Various modes of operation may be used for symmetric block cipher algorithms. Many of these modes are defined in NIST SP800-38A (please consult additional references for this document for more information on these and additional modes). The Electronic Codebook (ECB) mode of operation must not be used. Caution must be exercised and an appropriate mode deployed if the mode of operation for a block cipher must be manually determined or selected within a given system. Approved modes of operation for authentication and confidentiality are listed under Message Authentication Codes in the table above. More information is also available from Modes of Operation sections of the NIST Cryptographic Toolkit site. The Corporate Security Branch monitors the evolution of modes of operation and must be consulted prior to the deployment of new modes. Approved key establishment and exchange protocol implementations With the exception of GO-PKI and related infrastructure, the following implementations of asymmetric key protocols should be used for the establishment and exchange of a symmetric key for the encryption of subsequent communications: Secure Shell protocol 2.0 or newer/stronger; Secure Sockets Layer (SSL) v3.0 or newer/stronger (with preference for TLS); Transport Layer Security (TLS) v1.2 or newer/stronger (preferred); Wireless TLS; Internet Key Exchange (used by Internet Protocol Security [IPsec]); and Special purpose protocols endorsed by CSB for specific use and/or high-risk environments. UNCLASSIFIED 21

22 TLS/SSL support and implementation Government supplied Internet clients / browsers must support TLS. Previous versions of SSL should not be supported (with preference given to current TLS implementations) as they do not provide for acceptable levels of security and/or suffer from documented weaknesses. More recent versions of these protocols should be used as they become validated and implemented. The selection of TLS/SSL cipher suites must be performed in a manner such that all components of the cipher suite satisfy the requirements of the Approved cryptographic algorithms and minimum key lengths table published in this document (relative to the sensitivity of the data being passed via the TLS/SSL session). Client or server connections requesting weaker protocols or a reduction in the strength of cryptographic systems must be denied. Implementations of various network services may use the above (or similar) protocols to establish a secure connection; these protocols should be identified, and only used in conjunction with cryptography that satisfies the Approved cryptographic algorithms and minimum strengths / key lengths table published in this document. UNCLASSIFIED 22

23 6. APPENDIX B: DEFINITIONS Access: The ability to enter a physical area or use a resource, which may include viewing, adding, modifying or deleting data, and/or executing applications (running computer programs). Access controls: Procedures/devices designed to restrict entry to a physical area (physical access controls) or to limit use of a computer/communications system or stored data (logical access controls). Authenticate: To establish confidence in the reliability of an assertion (e.g., use of passwords, access cards, or other credentials), and verify the claimed identity of a user prior to granting access. Authentication: A process of testing assertions to establish a level of confidence (assurance) in their reliability as an indication of identity. Authorization: The procedural and technical allowance of specific privileges and access. Availability: The degree of readiness expected of information systems and IT resources to deliver an appropriate and timely level of service, regardless of circumstances. Block cipher: A cryptographic algorithm that processes fixed units of information as plaintext input, and produces encrypted output of that length via the use of a static key (e.g., AES). Certificate: The public key of an entity, together with other information, made authentic when digitally signed with the private key of the CA that issued it. Certificate formats are described within the X.509 and RFC 2459 specifications. Communications Security Establishment Canada: Canada's national cryptologic agency [it] provides the Government of Canada with two key services: foreign signals intelligence in support of defence and foreign policy, and the protection of electronic information and communication [from the CSEC public web site]. Confidentiality: Ensuring that information is accessible only to those authorized to have access. Unauthorized disclosure of the information constitutes a loss of confidentiality. The protection of confidentiality must be consistent with the sensitivity of information and legislative requirements (e.g., FIPPA, PHIPA). Cryptography: The discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, detect unauthorized modification, or prevent its unauthorized use. Cryptography is commonly used to provide confidentiality, integrity, message authentication, identity authentication and digital signatures. Cryptographic algorithm: A well-defined computational procedure that takes variable inputs including a cryptographic key and produces an output. Cryptographic key: A parameter used in conjunction with a cryptographic algorithm that determines its operation in such a way that an entity with knowledge of the key can reproduce or reverse the operation, while an entity without knowledge of the key cannot. Data: Any formalized representation of facts, concepts or instructions suitable for communication, interpretation or processing by a person or by automatic means. Decryption: The process of changing ciphertext (encrypted information) into plaintext using a cryptographic algorithm and key. Digital signature: A cryptographic technique based on a uniquely related pair of keys where one key is used to create a signature (the private signing key) and the other to check the UNCLASSIFIED 23

24 signature (the public verification key). A digital signature enables the recipient to verify the source (e.g., the signer) of a message or document and confirm its integrity. Elliptic Curve Cryptography: A cryptographic design whereby the strength of the system is predicated on the demonstrated difficulty of determining points on a plane curve when defined over large finite groups. This known property of large finite fields is also referred to as the discrete logarithm problem. Encryption: The transformation of data via cryptography into a form unreadable by anyone not in possession of the required key. It can provide for data confidentiality by keeping the information hidden from any individual or entity for which it was not intended. FIPS: (Federal Information Processing Standards): A set of standards developed by the National Institute of Standards and Technology (NIST) for use by the United States Government. FIPS deals with a wide range of computer system components, including those relating to security and assurance. Hash function: A function that maps a bit string of arbitrary length to a fixed length bit string. Common names for the output of a hash function include hash value, hash, message digest and digital fingerprint. Approved hash functions satisfy the following properties: One-way: it is computationally infeasible to find any input that maps to any pre-specified output, and Collision resistant: it is computationally infeasible to find any two distinct inputs that map to the same output. Identifier: A bit string that is associated with a person, device or organization. It may be an identifying name, or may be something more abstract (for example, a string consisting of an IP address and timestamp), depending on the application. Identity authentication: A process that uses a credential(s) to verify the identity of a user who is attempting to access resources and/or services. Information: The meaning derived from or assigned to facts or data, within a specified context. Information technology assets: Those resources (hardware, software, data etc.) associated with the creation, storage, processing and communication of information in the form of data, text, image and voice. Integrity: The property that information has not been modified or deleted in an unauthorized and undetected manner. Key escrow: an arrangement in which keys needed to decrypt encrypted data are held in escrow by a third party, such that authorized individuals may obtain them if required. Key management: The activities involving the handling of cryptographic keys and other related security parameters during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction. Key recovery: A function in the lifecycle of keying material that uses mechanisms and processes that enable authorized entities to retrieve keying material from key backup or archive. Key revocation: A function in the lifecycle of keying material; a process whereby a notice is made available to affected entities that keying material should be removed from operational use prior to the established expiry date for that keying material. Managed perimeter boundary: The portion of the Government of Ontario network connected to the internal Corporate Firewall cluster interface points. UNCLASSIFIED 24

25 Message authentication code (MAC): A cryptographic checksum on data to detect both accidental and intentional modifications of data. Network attached storage (NAS): A server specifically designed for handling files (rather than block data). Network-attached storage is accessible directly on the local area network (LAN) through LAN protocols such as TCP/IP. This is as opposed to storage that is internal to or directly connected to a server (e.g., via parallel SCSI cables) and only accessible from that server. Non-repudiation: A service that enables the integrity and origin of information to be verified by a third party. This service prevents the originating entity from successfully denying involvement. Non-repudiation is supported cryptographically though the use of a digital signature created using a private key known only by the signer (the originating entity). Password: A string of characters (letters, numbers and other symbols) that are used to authenticate an identity or to verify access authorization. Pass phrase: A lengthy string of characters intended to provide for significantly increased complexity compared to traditional passwords, in a format users can readily recall from memory. Privacy: The ability of an individual or group to control personal information and prevent it from being used by people or for purposes other than those they consented to when they provided the information. Organizations must have controls to restrict the collection, use and/or disclosure of personal information to that authorized by the individual or group. In the case of Government organizations, legislative authority is required to collect and use the personal information needed for the delivery of a specific program or service. Private key: A cryptographic key, used with a public key cryptographic algorithm that is uniquely associated with an entity and is not made public. In an asymmetric (public) cryptosystem, the private key is associated with a public key. Program manager: The person responsible for the continued development, operational control, implementation, monitoring, etc. of a specific program or service within a Ministry. Public key: A cryptographic key that is used with a public key cryptographic algorithm. The public key is uniquely associated with an entity and may be made public. In an asymmetric (public key) cryptosystem, the public key is associated with a private key. The public key may be known by anyone and, depending on the algorithm, may be used to: Verify a digital signature that is signed by the corresponding private key (public verification key); and/or Encrypt data that can be decrypted by the corresponding private key (public encryption key). Public key certificate: A public key that has been digitally signed by the issuing organization (Certification Authority). The integrity of the public key can be confirmed by verifying the digital signature associated with it. Responsibility: The obligation to perform a given task or tasks associated with a specific role. Risk: An estimation of the likelihood and impact of potential events on an organization s ability to meet its business objectives. Safeguard: A protective and precautionary measure intended to prevent a threat agent from reducing security or causing harm. Secret key: See symmetric key. UNCLASSIFIED 25

Archived NIST Technical Series Publication

Archived NIST Technical Series Publication Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated

More information

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST Safeguarding Data Using Encryption Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST What is Cryptography? Cryptography: The discipline that embodies principles, means, and methods

More information

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

SP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals

More information

Applied Cryptology. Ed Crowley

Applied Cryptology. Ed Crowley Applied Cryptology Ed Crowley 1 Basics Topics Basic Services and Operations Symmetric Cryptography Encryption and Symmetric Algorithms Asymmetric Cryptography Authentication, Nonrepudiation, and Asymmetric

More information

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

DRAFT Standard Statement Encryption

DRAFT Standard Statement Encryption DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held

More information

FIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

FIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0 FIPS 40-2 Non- Proprietary Security Policy McAfee SIEM Cryptographic Module, Version.0 Document Version.4 December 2, 203 Document Version.4 McAfee Page of 6 Prepared For: Prepared By: McAfee, Inc. 282

More information

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information

More information

Recommendation for Key Management Part 1: General (Revision 3)

Recommendation for Key Management Part 1: General (Revision 3) NIST Special Publication 800-57 Recommendation for Key Management Part 1: General (Revision 3) Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid C O M P U T E R S E C U R I T Y

More information

Guide to Data Field Encryption

Guide to Data Field Encryption Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Security Requirements for Firewalls

Security Requirements for Firewalls Government of Ontario IT Standard (GO-ITS) Number 25.6 Security Requirements for Firewalls Version #: 1.2 Status: Approved Prepared under the delegated authority of the Management Board of Cabinet UNCLASSIFIED

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016 National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION

More information

Chapter 10. Cloud Security Mechanisms

Chapter 10. Cloud Security Mechanisms Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based

More information

Guideline for Implementing Cryptography In the Federal Government

Guideline for Implementing Cryptography In the Federal Government NIST Special Publication 800-21 [Second Edition] Guideline for Implementing Cryptography In the Federal Government Elaine B. Barker, William C. Barker, Annabelle Lee I N F O R M A T I O N S E C U R I T

More information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information

INFORMATION SECURITY POLICY DOCUMENT. The contents of this document are classified as DC 1 Private information 6 th Floor, Tower A, 1 CyberCity, Ebene, Mauritius T + 230 403 6000 F + 230 403 6060 E ReachUs@abaxservices.com INFORMATION SECURITY POLICY DOCUMENT Information Security Policy Document Page 2 of 15 Introduction

More information

Neutralus Certification Practices Statement

Neutralus Certification Practices Statement Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

Recommendation for Cryptographic Key Generation

Recommendation for Cryptographic Key Generation NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication

More information

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc. Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0 Accellion, Inc. December 24, 2009 Copyright Accellion, Inc. 2009. May be reproduced only in its original entirety

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Authentication requirement Authentication function MAC Hash function Security of

Authentication requirement Authentication function MAC Hash function Security of UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE

More information

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation Walt Hubis, LSI Corporation SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA. Member companies and individuals may use this material in presentations and literature

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4

More information

Credit Card Security

Credit Card Security Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

More information

IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

More information

CRYPTOGRAPHY IN NETWORK SECURITY

CRYPTOGRAPHY IN NETWORK SECURITY ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Apple Corporate Email Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Apple Corporate Email Certificates Certificate Policy and Certification Practice Statement. Apple Inc. Apple Inc. Certificate Policy and Certification Practice Statement Version 2.0 Effective Date: April 10, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

An Introduction to Cryptography as Applied to the Smart Grid

An Introduction to Cryptography as Applied to the Smart Grid An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Ericsson Group Certificate Value Statement - 2013

Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...

More information

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Introduction The new standard ISO/IEC 27001:2013 has been released officially on 1 st October 2013. Since we understand that information

More information

XN--P1AI (РФ) DNSSEC Policy and Practice Statement

XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...

More information

Management and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet

Management and Use of Information & Information Technology (I&IT) Directive. Management Board of Cabinet Management and Use of Information & Information Technology (I&IT) Directive Management Board of Cabinet February 28, 2014 TABLE OF CONTENTS PURPOSE... 1 APPLICATION AND SCOPE... 1 PRINCIPLES... 1 ENABLE

More information

Danske Bank Group Certificate Policy

Danske Bank Group Certificate Policy Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...

More information

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013

USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars October 29, 2013 USING ENCRYPTION TO PROTECT SENSITIVE INFORMATION Commonwealth Office of Technology Security Month Seminars Alternate Title? Boy, am I surprised. The Entrust guy who has mentioned PKI during every Security

More information

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Public-Key Infrastructure

Public-Key Infrastructure Public-Key Infrastructure Technology and Concepts Abstract This paper is intended to help explain general PKI technology and concepts. For the sake of orientation, it also touches on policies and standards

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Recommendation for Key Management Part 2: Best Practices for Key Management Organization

Recommendation for Key Management Part 2: Best Practices for Key Management Organization NIST Special Publication 800-57 Recommendation for Key Management Part 2: Best Practices for Key Management Organization Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid C O M

More information

DataTraveler 5000 (DT5000) Technical Highpoints

DataTraveler 5000 (DT5000) Technical Highpoints DataTraveler 5000 (DT5000) Technical Highpoints Contents DT5000 TECHNOLOGY OVERVIEW...3 WHY DT5000 ENCRYPTION IS DIFFERENT...2 WHY DT5000 ENCRYPTION IS DIFFERENT SUMMARY...5 XTS-AES SECTOR-BASED ENCRYPTION...3

More information

CERTIFICATION PRACTICE STATEMENT UPDATE

CERTIFICATION PRACTICE STATEMENT UPDATE CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.

More information

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 FIPS 140 2 Non Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.1 Prepared for: Prepared

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Information security controls. Briefing for clients on Experian information security controls

Information security controls. Briefing for clients on Experian information security controls Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Guidelines on use of encryption to protect person identifiable and sensitive information

Guidelines on use of encryption to protect person identifiable and sensitive information Guidelines on use of encryption to protect person identifiable and sensitive information 1. Introduction David Nicholson, NHS Chief Executive, has directed that there should be no transfers of unencrypted

More information

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Key Management Interoperability Protocol (KMIP)

Key Management Interoperability Protocol (KMIP) (KMIP) Addressing the Need for Standardization in Enterprise Key Management Version 1.0, May 20, 2009 Copyright 2009 by the Organization for the Advancement of Structured Information Standards (OASIS).

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Chapter 10. Network Security

Chapter 10. Network Security Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

More information

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

Pulse Secure, LLC. January 9, 2015

Pulse Secure, LLC. January 9, 2015 Pulse Secure Network Connect Cryptographic Module Version 2.0 Non-Proprietary Security Policy Document Version 1.1 Pulse Secure, LLC. January 9, 2015 2015 by Pulse Secure, LLC. All rights reserved. May

More information

DIVISION OF INFORMATION SECURITY (DIS)

DIVISION OF INFORMATION SECURITY (DIS) DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new

More information

APNIC elearning: Cryptography Basics. Contact: esec02_v1.0

APNIC elearning: Cryptography Basics. Contact: esec02_v1.0 APNIC elearning: Cryptography Basics Contact: training@apnic.net esec02_v1.0 Overview Cryptography Cryptographic Algorithms Encryption Symmetric-Key Algorithm Block and Stream Cipher Asymmetric Key Algorithm

More information

Certification Report

Certification Report Certification Report EAL 4+ Evaluation of ncipher nshield Family of Hardware Security Modules Firmware Version 2.33.60 Issued by: Communications Security Establishment Canada Certification Body Canadian

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and non-repudiation. How to obtain a digital certificate. Installing

More information

Trustis FPS PKI Glossary of Terms

Trustis FPS PKI Glossary of Terms Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate

More information

1.1.1 Additional requirements for Trusted Root Issuer CAs Appropriate Certificate Usage Prohibited Certificate Usage...

1.1.1 Additional requirements for Trusted Root Issuer CAs Appropriate Certificate Usage Prohibited Certificate Usage... 1.1.1 Additional requirements for Trusted Root Issuer CAs... 10 1.3.1 Certification Authorities ( Issuer CAs )... 11 1.3.2 Registration Authorities... 11 1.3.3 Subscribers... 12 1.3.4 Relying Parties...

More information

Chapter 17. Transport-Level Security

Chapter 17. Transport-Level Security Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

More information

BlackBerry 10.3 Work and Personal Corporate

BlackBerry 10.3 Work and Personal Corporate GOV.UK Guidance BlackBerry 10.3 Work and Personal Corporate Published Contents 1. Usage scenario 2. Summary of platform security 3. How the platform can best satisfy the security recommendations 4. Network

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

Data Breaches and the Encryption Safe Harbor. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Data Breaches and the Encryption Safe Harbor. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Data Breaches and the Encryption Safe Harbor Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted.

More information