ISO 27001 Annex : A.10 Cryptography
The article covers Cryptographic controls, Policy on the Utilization of Cryptographic Controls & Key Management.
A.10.1 Cryptographic controls
The purpose is to ensure effective and efficient use of cryptography to ensure the confidentiality, integrity, and authenticity of the information.
A.10.1.1 Utilization of Cryptographic Controls Policy
Developing and enforcing a policy concerning cryptographic controls is vital to the security of information.
Implementation Guidance- The following should be considered when designing a cryptographic policy:
1. Provide a management guide on applying cryptographic controls across an organization, including a list of general principles that should guide the protection of business information;
2. The level of security that is required should be calculated according to the level of risk, after taking the type, strength, and quality of encryption algorithms into account;
3. Encrypting information carried by mobile media equipment or via phone lines to secure the transport of information;
4. A detailed description of key management, describing how to deal with the security of cryptographic keys and how to recover encrypted information in the event of missing, corrupt or damaged keys;
5. Roles and responsibilities, such as who is responsible for what
– Implementing policies
– management of key performance indicators, including quality generation;
6. The standards an organization must follow for successful implementation (what solution is used for which business processes);
7. The impact of encrypted data on the functionality of countermeasures requiring content validation (such as malware detection).
In enforcing the cryptographic policy of the organization, it is important to consider the legal restrictions and regulations in different parts of the world regarding the use of cryptographic techniques, as well as issues relating to concerns about the trans-border flow of encrypted information.
Cryptographic control can be used to accomplish specific information security goals:
– Confidentiality: encrypting information to protect confidential or vital information, either in storage or transmission;
– Integrity and authenticity: check the authenticity or integrity of confidential or vital information by using digital signatures or message authentication codes;
– Non-repudiation: the use of cryptography to verify the occurrence or non-occurrence of an event
– Authentication: Requesting access to or making transactions with users, entities, and resources of a system using cryptographic techniques.
Other Information– An evaluation of the suitability of a cryptographic solution may be seen as part of the process of risk assessment and control selection. Depending on the outcome of this assessment, the decision would be made regarding whether cryptographic protection is sufficient, what form of protection should be used, and for what functions and processes.
To maximize the benefits and minimize the risks associated with the use of cryptographic techniques and to prevent inappropriate or incorrect usage, a policy on the use of cryptographic controls is important. A security policy must consider expert advice in selecting appropriate cryptographic controls.
A.10.1.2 Key Management
Control– A policy that governs the use of cryptographic keys, and their security should be established and enforced.
Implementation Guidance– The policy should guide handling cryptographic keys throughout their existence, including the generation, processing, archiving, retrieval, transmission, removal, and destruction of keys.
In the selection of cryptographic algorithms, primary lengths, and implementation methods best practices should be followed. The appropriate key management process can determine how to generate, process, archive, retrieve, transmit, remove, and destroy cryptographic keys.
All cryptographic keys must remain safe from change and loss. Further, private and confidential keys should be protected from unauthorized use as well as disclosure. Physical security must be maintained for the equipment that generates, processes, and archives keys.
Ideally, a key management framework would be based on a set of agreed-upon principles, protocols, and appropriate methods that:
1. Create keys for a variety of cryptographic schemes and applications;
2. The issuance and receipt of a public key certificate;
3. Provide the key to the intended entities, so that they can activate the key upon receipt;
4. Managing keys and allowing them to be accessed by authorized users;
5. Evaluate the need to update keys, including guidelines regarding when and how keys should be updated.
6. Identifying and addressing missing keys;
7. Revoking keys, including when they can be erased or disabled, for instance when a user leaves the organization or when keys are compromised (in such cases, keys should be archived as well);
8. Recovering corrupted or missing keys;
9. Archiving or backing up keys;
10. Disposing of keys;
11. Auditing and logging of key management activities.
If the key activation and deactivation dates are defined such that the key can only be used for the period defined in the associated key management policy, improper use will be reduced.
Aside from managing secrets and personal keys securely, public keys must be authentic. A public-key certificate can be used for this authentication process. Public key certificates are usually provided by an organization known as a Certification Authority, which should have adequate controls and procedures in place to ensure the level of confidence required.
It is important to note that agreements with external suppliers of cryptographic services, such as those with certification authorities, provide assurances of accountability, reliability, and response time.
Other information– Control of cryptographic keys is crucial to successfully use cryptography techniques. ISO / IEC 11770 provides additional information on key management.
ISO 27001 Annex: A.10 Cryptography tools may be used to protect cryptographic keys as well. There are procedures to be followed when handling legal demands for access to cryptographic keys, for example, a lawsuit might require the decryption of encrypted data as proof.
Related Questions
1. What are the methods of protecting my encryption key?
2. How does encryption key management work?
3. What is the recommended interval of time between changing encryption keys?
4. What is ISO 27001 Annex: A.10 Cryptography and how important is key management to keep any encryption system secure?
5. What does ISO 27001 Annex: A.10 Cryptography mean?