Acceptable Encryption Policy: Purpose, Scope, and Measures
Purpose of the acceptable encryption policy
The main purpose of Acceptable Encryption Policy is to ensure that general principle which limits the use of encryption which is responsible to receive those algorithms with considerable public review. Moreover, the proven work and effectiveness is one of the key controlling factors of the policy.
The scope of the policy
The scope of the Acceptable Encryption Policy will be to cover all the staff members, affiliates and owner of the organization when the policy will be implemented.
Intent and Rationale of the Acceptable encryption policy
The intent and the rationale of the acceptable encryption policy are to measure accountability and user satisfaction from the encryption technique. In addition, this acceptable encryption policy targets direction to the legal authority of the organization to ensure dissemination grant and using encryption technology (Guo et al., 2017).
The following are policy measures which need to be kept by the organization:
- The Asymmetric algorithm (such as RSA i.e. Rivest, Adi Shamir encryption algorithm) is recommended to the organization in order to ensure strong encryption to the organization information.
- Organization is strongly recommended to use Advanced encryption standard techniques which ensure confidentiality and integrity of the information.
- The endpoint of the organization which is most vulnerable to data leakage need to be prevented with a strong encryption algorithm such as (Diffie-Hellman, Elliptic Curve Diffie-Hellman etc.)
- Appropriate Cryptographic keys should be used which are either logically or statistically generated as well as need to be protected from any kind of loss, compromise or theft (Qiao, Ren, Wang, Ba & Zhou, 2018).
- Public keys should be uniquely assigned to every individual as well as the authenticity of the public should be preserved.
- NIST policy standards or hash functions must be used by the organization in order to preserve the geniality of the information.
Verifying authority of the Acceptable Encryption Policy
This Acceptable Encryption Policy is verified and approved by the Top-level management and owner of the organization via different methods and implementation.
Any violation of Acceptable Encryption policy by any employee of the organization is a punishable offense. The top level management can take rapid actions against the individuals, who violate the law of organization. The person who will be found guilty under the Acceptable Encryption Policy act of organization will be fined as well as sacked from its roles and responsibilities immediately.
Policy and procedures
- Boot Disk Encryption: The boot disk encryption technique allows user to start the operating system of user with a unique and special code as well as contain a valuable data. The policy ensures implementation of operating system with the full disk encryption. For example, BitLocker, Symantec Endpoint Encryption etc. are some of the common products which can be used by organization in order to protect Acceptable Encryption Policy.
- Email Encryption: The organization is recommended to implement end-to-end point encryption so that confidentiality and integrity of information in organization can be protected. The email encryption can be divided equally in the border range to encryption products to encrypt individual e-mails. For example, PGP desktop and similar other email encryption products can be used by the organization in order to protect email threats.
- External devices encryption: In the organization, it is recommended that individual peripherals external devices such as hard disks, DVDs, CDs, and USB flash drives should be properly encrypted. The information in the external devices should be protected from the unauthorized access with the help of password or pins technique. For example, VeraCrpyt, Cryptainer LE, PGP desktop etc. are some of the common product which organization use in order to protect privacy of information.
- Mobile device encryption: The organization employee personal devices should be properly encrypted with advanced encryption policy scheme or asymmetric policy. Personal mobile device or BYOD policies of the organization is a major vulnerability to the risk organization (Sarier, 2018). Therefore, for ensuring mobile device encryption BlackBerry content protection, iPhone encryption etc. are some of the common product which organization must use.
- Transport-level encryption: For securing the transport layer of the OCI layer model of the organization, strong asymmetric scheme such as RSA, AES, Diffie Hellman etc. are used. These encryption techniques while help in sending cipher and secure text information among sender and receiver. The transport-level encryption allows users to protect from eavesdropping, man-in-the-middle etc. in an appropriate configuration of servers. For example, FileZilla, PSFTP, SCP and WinSCP etc. should be used by organization in order to secure transport-level encryption.
Guo, Z., Han, W., Liu, L., Xu, W., Ni, M., Zhao, Y., & Wang, X. (2017). Socialized policy administration. Computers & Security, 67, 232-243. doi: 10.1016/j.cose.2017.03.005
Qiao, H., Ren, J., Wang, Z., Ba, H., & Zhou, H. (2018). Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing. Future Generation Computer Systems, 88, 107-116. doi: 10.1016/j.future.2018.05.032
Sarier, N. (2018). Multimodal biometric Identity Based Encryption. Future Generation Computer Systems, 80, 112-125. doi: 10.1016/j.future.2017.09.078