Encryption of laptops

Critical
High
Normal
Low

Laptops are protected by full-disk encryption.

Connected other frameworks and requirements:
10.1.1: Policy on the use of cryptographic controls
ISO 27001
8.24: Use of cryptography
ISO 27001

Encryption of backup data

Critical
High
Normal
Low

When the confidentiality of backups is important, backups are protected by encryption. The need to encrypt backups may become highlighted when backups are stored in a physical location where security policies are unknown.

Connected other frameworks and requirements:
12.3: Backup
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
12.3.1: Information backup
ISO 27001
8.13: Information backup
ISO 27001
8.24: Use of cryptography
ISO 27001

General, risk-based encryption policy

Critical
High
Normal
Low

Deciding on the need for encryption solutions is seen as part of an overall process that includes risk assessment and the definition of other management tasks.

The organization has established a general encryption policy that is always followed when protecting information using encryption.

Encryption policy defines:

  • general principles for using cryptographic controls throughout the organization
  • methods for determining the needed level of encryption on the basis of a asset risk assesment
  • the use of encryption on mobile devices
  • ways to protect encryption keys and recover encrypted data when keys are lost
  • roles and responsibilities related to encryption
  • the effects of encryption on other tasks of the security management system
Connected other frameworks and requirements:
I12: Salausratkaisut
10.1.1: Policy on the use of cryptographic controls
ISO 27001
10.1: Cryptographic controls
ISO 27001
10: Cryptography
ISO 27001
10.1.2: Key management
ISO 27001

Encryption of user password information

Critical
High
Normal
Low

We use strong encryption during password transmission and storage in all services we develop.

Connected other frameworks and requirements:
9.4.2: Secure log-on procedures
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
14.1.3: Protecting application services transactions
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
8.5: Secure authentication
ISO 27001

Encryption of portable media

Critical
High
Normal
Low

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

Connected other frameworks and requirements:
8.3.1: Management of removable media
ISO 27001
8.3.3: Physical media transfer
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
PR.PT-2: Removable media
NIST CSF
A.11.4: Protecting data on storage media leaving the premises
ISO 27018

Revision of encryption methods and assessment of adequacy

Critical
High
Normal
Low

When choosing the encryption methods to be used, take into account e.g. the following points:

  • the cost of using encryption
  • encryption level (eg type, strength and quality of the encryption algorithm)
  • the value of the assets to be protected

The need for the advice of external experts is always considered when determining used cryptographic practices.

Connected other frameworks and requirements:
10.1.1: Policy on the use of cryptographic controls
ISO 27001
8.24: Use of cryptography
ISO 27001
No items found.