Technical security for protected information assets

The Encryption Key Management System (CKMS) handles, manages, stores, and monitors encryption keys. The management system can be implemented as an automated tool or as a more manual implementation.

The organization must have the means to monitor and report on all encryption materials and their status using an encryption key management system. The cryptographic key management system should be used at least to:

• Track changes to cryptographic states
• Generate and distribute cryptographic keys
• Generate public-key certificates
• For monitoring unidentified encrypted assets
• For cataloging, archiving, and backing up encryption keys
• Maintains a database of connections to an organization's certificate and encryption key structures

An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.

Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:

• trust level (eg public, workstations, server)
• organizational units (eg HR, financial management)
• or by some combination (for example, a server domain that is connected to multiple organizational units)

Separation can be implemented either with physically separate networks or with logically separate networks.

The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

• logging in does not reveal the associated application until the connection is established
• the login does not display help or error messages that would assist an unauthorized user
• logging in will only validate the data once all the data has been entered
• login is prevented from using fatigue attacks
• login logs failed and successful login attempts
• suspicious login attempts are reported to the user
• passwords are not sent as plain text online
• the session does not continue forever after logging in

Our organization has defined policies for creating, storing, sharing, and deleting encryption keys.

Encryption key lengths and usage practices will be selected in accordance with best general practices by monitoring developments in the industry.

We use strong encryption during password transmission and storage in all services we develop.

When choosing the encryption methods to be used, take into account e.g. the following points:

• the cost of using encryption
• encryption level (eg type, strength and quality of the encryption algorithm)
• the value of the assets to be protected

The need for the advice of external experts is always considered when determining used cryptographic practices.