DRAFT Standard Statement Encryption



Similar documents
Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Chapter 7 Transport-Level Security

Complying with PCI Data Security

Encryption Policy Version 3.0

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

How To Encrypt Data With Encryption

An Introduction to Cryptography as Applied to the Smart Grid

PENN. Social Sciences Computing a division of SAS Computing. SAS Computing SSC. File Security. John Marcotte Director of SSC.

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Healthcare Compliance Solutions

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Release: 1. ICANWK502A Implement secure encryption technologies

FileCloud Security FAQ

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Network Security Essentials Chapter 5

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Secure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.

Research Information Security Guideline

Introduction to Cyber Security / Information Security

Credit Card Security

Securing Data at Rest ViSolve IT Security Team

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Catapult PCI Compliance

Fundamentals of Network Security - Theory and Practice-

Compliance and Industry Regulations

Lab Configure Basic AP Security through IOS CLI

Cornerstones of Security

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

BANKING SECURITY and COMPLIANCE

How Managed File Transfer Addresses HIPAA Requirements for ephi

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Secure Socket Layer. Introduction Overview of SSL What SSL is Useful For

Is your data safe out there? -A white Paper on Online Security

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

2014 IBM Corporation

Understanding Secure Shell Host Keys

Network Management Card Security Implementation

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

HIPAA Privacy & Security White Paper

Overview. SSL Cryptography Overview CHAPTER 1

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Blaze Vault Online Backup. Whitepaper Data Security

EXAM questions for the course TTM Information Security May Part 1

How To Understand And Understand The Security Of A Key Infrastructure

Secure Network Communications FIPS Non Proprietary Security Policy

Chapter 17. Transport-Level Security

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

How Reflection Software Facilitates PCI DSS Compliance

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

ERserver. iseries. Secure Sockets Layer (SSL)

Is Your SSL Website and Mobile App Really Secure?

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CHIS, Inc. Privacy General Guidelines

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

ERserver. iseries. Securing applications with SSL

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

WS_FTP Professional 12. Security Guide

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Secure Data Transfer

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Lecture 9: Application of Cryptography

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

Security Digital Certificate Manager

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Single Sign-On Secure Authentication Password Mechanism

McAfee Firewall Enterprise 8.2.1

Eleventh Hour Security+

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Transport Level Security

CS5008: Internet Computing

Using BroadSAFE TM Technology 07/18/05

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

NWIMS. Online Backup Security Documentation

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Chapter 8. Network Security

CRYPTOGRAPHY IN NETWORK SECURITY

Achieving PCI-Compliance through Cyberoam

Compliance and Security Challenges with Remote Administration

Security Digital Certificate Manager

Transcription:

DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held by public organizations can include social security numbers, credit card numbers, and other personal information about Arkansas citizens. Government, in particular, is responsible for information that protects public health and public safety. Individuals with malicious intent can easily acquire information being transmitted electronically unless appropriate security measures are applied, such as encryption. If detected, the credentials employees use to access data and systems can provide unauthorized access which can lead to critical data being modified, deleted and ultimately made unavailable. For these reasons very sensitive information must be protected through encryption methods. 2. Scope This standard statement applies to all state agencies, boards, commissions, and administrative sections of institutions of higher education. 3. Background Arkansas Code Ann. Section 25-4-105(13) and (15)(Supp. 2007) gives the Department of Information Systems the authority to define standards, policies and specifications for state agencies and ensuring agencies compliance with those policies, procedures and standards. In addition, the department develops information technology security policy for state agencies. The State Security Working Group, made up of representatives of state agencies and higher education, wrote the Encryption Standard. 4. References 4.1 Data and System Security Classification Standard (SS-70-001) 4.2 Physical and Logical Security Standard (SS-70-008) 4.3 Wireless Security Standard (SS-70-010) SS-70-006 Encryption 1

5. Standard 5.1 The following standard applies only to data that is classified by the SS-70-001 Data and System Security Classification Standard as being Level C - Very Sensitive or Level D - Extremely Sensitive and transmitted on a public network, including the State Network, or removed from a covered entity s physical location. 5.1.1 Users accessing data from outside organizational local area networks shall encrypt their credentials, including login IDs and passwords, to access such data. 5.1.2 Data on all portable media and mobile computing devices, such as laptops, PDAs, flash drives, CDs, DVDs, or any external storage device shall be encrypted. 5.1.3 Backups for business continuity purposes that are taken offsite shall be encrypted. 5.1.3.1 Archived backups created prior to the effective date of this standard are exempt from this encryption requirement and are subject to the requirements of the Physical and Logical Security Standard (SS-70-008). 5.1.3.2 Encryption keys used to encrypt data used for business continuity purposes must be stored offsite within a locked or otherwise restricted environment in a building. Data shall be encrypted with algorithms utilizing 128 bit encryption, at a minimum. 5.1.4 5.1.4 Encryption products used shall be listed in the NIST cryptographic module validation list and validated to the current FIPS standard. Acceptable methods of 128 bit or higher encryption include, but are not limited to: 5.1.4.1 Triple-DES 5.1.4.2 Advanced Encryption Standard 5.1.4.3 International Data Encryption Algorithm (IDEA) 5.1.4.4 RSA (key length must be 1024 bits or higher) 5.1.4.5 SSL/TLS (secure socket layer) 5.1.4.6 Blowfish 5.1.4.7 ElGamal 5.1.4.8 SHA-2 (definition) 5.1.5 Unacceptable encryption methods include, but are not limited to: 5.1.5.1 DES (Data Encryption Standard) 5.1.5.2 MD5 (Message-Digest algorithm 5) 5.1.6 Encryption shall be used for data transmissions such as FTP (file transfer protocol) and Telnet. Methods of acceptable encryption include, but are not limited to, SSH, third party secure FTP solutions, and the use of a secure virtual private network (VPN). SS-70-006 Encryption 2

5.1.7 All email servers must be configured to accept TLS as the preferred connection method. 6. Procedures The State Cyber Security Office reserves the right to audit for compliance with this standard. Furthermore, the State Cyber Security Office has the right to grant an exception or exclusion to any part of this standard. The Arkansas Division of Legislative Audit also audits for compliance with this standard. 7. Revision History Date Description of Change x/x/2010 Original Standard Statement Published 8. Definitions 8.1 Advanced Encryption Standard (AES) The Advanced Encryption Standard (AES) is an encryption algorithm utilizing the Rijndael specification for securing information by federal government agencies. Key sizes of 128, 192, and 256 bits are specified in the AES standard. AES was approved by the National Institute of Standards and Technology (NIST) as US FIPS PUB 197. 8.2 Backup Information archived for the purpose of recovering systems and data in the event of a disaster or loss of data. 8.3 Data Encryption Standard (DES) The Data Encryption Standard is a symmetric key algorithm adopted by the federal government as a federal standard for protecting sensitive unclassified information. With an effective key length of 56 bits, DES was compromised in 1997. 8.4 File Transfer Protocol (FTP) An application layer protocol used to transfer bulk-data files between machines or hosts according to RFC959. 8.5 Flash drive Flash drives, also referred to as thumb drives or USB drives, are portable storage devices that use flash memory and are very lightweight and small. Flash drives can be used in place of a floppy disk, zip drive disk, or CD. 8.6 MD5 (Message-Digest algorithm 5) Designed by Ronald Rivest, MD5 is a cryptographic hash function that creates a 128- bit hash or representation of a message to provide data integrity. MD5 is not resistant SS-70-006 Encryption 3

to collision or the ability for two different hashes to represent the same message. As a result, MD5 should not be used for digital certificates or SSL applications. 8.7 RSA The RSA algorithm, developed by Rivest, Shamir and Adleman, can be used for public key encryption and digital signatures. Its security is based on the difficulty of factoring large integers. 8.8 Secure Shell (SSH) Secure Shell (SSH), sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. Both ends of the client/server connection are authenticated using a digital certificate and passwords are encrypted. SSH uses RSA public key cryptography for both connection and authentication. SSH-1 is considered obsolete as it is susceptible to man-in-the-middle attacks. SSH-2 replaces SSH-1. 8.9 Secure Socket Layer/Transport Layer Security (SSL/TLS) SSL/TLS is a protocol uses the public-and-private key encryption system, which also includes the use of a digital certificate. SSL/TLS is an integral part of most Web browsers (clients) and Web servers. 8.10 State Network The State network means the shared portions of the state's telecommunications transmission facilities, including all transmission lines and all associated equipment and software components necessary for the management and control of the state network. The state network is the backbone and doesn t include the local area networks. 8.11 Telnet Telnet is a network protocol that is used to connect to remote computers for the purpose of executing commands on a remote machine. Telnet is considered to be insecure due to several well-known vulnerabilities. 8.12 Triple DES Encryption Triple DES encryption encrypts data using the DES algorithm three times. Three 56- bit keys are used, instead of one, for an overall key length of 192 bits. 8.13 Secure Virtual Private Network (VPN) A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols. In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses. 9. Related Resources 9.1 COBIT standards: www.isaca.org/cobit.htm SS-70-006 Encryption 4

9.2 Act 1526 of 2005: ftp://www.arkleg.state.ar.us/acts/2005/public/act1526.pdf 9.3 HIPAA Security Standards: http://www.hipaadvisory.com/regs/finalsecurity/ 9.4 NIST Advanced Encryption Standard: http://csrc.nist.gov/publications/fips/fips197/fips- 197.pdf 9.5 FIPS (Federal Information Processing Standards) Module Validation Lists: http://csrc.nist.gov/groups/stm/cmvp/validation.html 9.6 American Reinvestment and Recovery Act HITECH (Health Information Technology for Economic and Clinical Health ) Act Breach Notification Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html 9.7 RFC959.org: http://tools.ietf.org/html/rfc959 10. Inquiries Direct inquiries about this standard to: Department of Information Systems State Cyber Security Office One Capitol Mall Little Rock, Arkansas 72201 Phone: 501-682-2701 FAX: 501-682-4310 Email: itpolicyteam@arkansas.gov DIS standards, policies and best practices can be found on the Internet at: http://www.dis.arkansas.gov/policiesstandards/pages/default.aspx SS-70-006 Encryption 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information