II.C.19 Encryption

Action Summary

Management should implement the type and level of encryption commensurate with the sensitivity of the information.

Encryption is used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. Encryption can be used throughout a technological environment, including the operating systems, middleware, applications, file systems, and communications protocols.

Encryption can be used as a preventive control, a detective control, or both. As a preventive control, encryption acts to protect data from disclosure to unauthorized parties. As a detective control, encryption is used to allow management to discover unauthorized changes to data. When prevention and detection are joined, encryption can be an important control in ensuring confidentiality, integrity, and availability.

Institution management should employ encryption strength sufficient to protect information from disclosure. Encryption methods should be reviewed periodically to ensure that the types and methods of encryption are still secure as technology and threats evolve. Decisions regarding what data to encrypt and at what points to encrypt the data are typically based on the risk of disclosure and the costs of encryption. The need to encrypt data is determined by the institution's data classification and risk assessment.

Passwords should be hashed or encrypted in storage. Passwords that are hashed also should be salted.In password protection, salt is a random string of data used to modify a password hash. Files containing encrypted or hashed passwords used by systems to authenticate users should be readable only with elevated (or administrator) privileges.

Key managementKey management is the management of cryptographic keys. This includes dealing with the generation, exchange, storage, use, and replacement of keys. is crucial to the effective use of encryption. Effective key management systems rely on an agreed set of standards, procedures, and secure methods that address the following:Refer to ISO/IEC 11770-1:2010, "Key Management-Part 1: Framework"; ISO/IEC 11770-2:2008, "Key Management-Part 2: Mechanisms Using Symmetric Techniques"; and ISO/IEC 11770-3:2015, "Key Management-Part 3: Mechanisms Using Asymmetric Techniques."

  • Generating keys for different cryptographic systems and different applications.
  • Generating and obtaining public keys.
  • Distributing keys to intended users, including how keys should be activated when received.
  • Storing keys, including how authorized users obtain access to keys.
  • Changing or updating keys, including rules on when and how keys should be changed.
  • Addressing compromised keys.
  • Archiving, revoking, and specifying how keys should be withdrawn or deactivated.
  • Recovering keys that are lost or corrupted as part of business continuity management.
  • Logging the auditing of key management-related activities.
  • Instituting defined activation and deactivation dates, and limiting the usage period of keys.


Previous Section
II.C.18 Database Security
Next Section
II.C.20 Oversight of Third-Party Service Providers