Deciding on the need for encryption solutions is seen as part of an overall process that includes risk assessment and the definition of other management tasks.
The organization has established a general encryption policy that is always followed when protecting information using encryption.
Encryption policy defines:
- general principles for using cryptographic controls throughout the organization
- methods for determining the needed level of encryption on the basis of a asset risk assesment
- the use of encryption on mobile devices
- ways to protect encryption keys and recover encrypted data when keys are lost
- roles and responsibilities related to encryption
- the effects of encryption on other tasks of the security management system