To draw up the security procedure for cryptographic controls, we identify the assets to be subjected to this control, we establish the occasions for encryption and decryption and we design the remedies to access the data made unavailable by these controls.
What exactly must be specified in the procedure relating to cryptographic controls provided for in Annex A of ISO 27001? Let’s see how to implement security policies for encrypting information effectively and in accordance with the provisions of the standard
The encryption procedure must have a specific purpose
The company must explain and document to all those who are used in the processing of information that the cryptographic algorithms, through the software that manages it, convert the plaintext into ciphertext, under the control of the cryptographic keys .
In practice, if a user accessed the plaintext texts he would understand their meaning and content and could know confidential information but if the texts are encrypted the contents would be visible as a sequence of incomprehensible characters.
risk of loss of confidentiality of the same. The application of this control must be documented in the Asset Inventory as part of the controls intended to protect confidentiality.
Information and assets subject to encryption
The encryption procedure must be very simple. As we anticipated, the company must define the assets to be encrypted. In reality, what is encrypted is not the asset itself but the information it contains or protects. The list, by way of example, could include:
- The hard drives of the server
- Data backed up to the cloud
- The media in which the configuration data of the network devices are present
- The disks of portable personal computers
- Fixed personal computer disks
- The memory of smartphones
- Authorization credentials for physical access through doors
- The fields of the databases
- The media in which the configuration data of the safety devices are present
- Software that stores scanned, tracked and copied data for the security of the information system and network
- The audio signals of the internal VOIP telephone communication within the organization
The occasions in which to proceed with encryption
A good encryption procedure must surely establish what are the occasions in which the assets are subjected to control. It is necessary to identify very specific work phases in correspondence with which, in relation to the data availability requirements of the users, the information present is “locked” :
- On the computer workstations in the company
- On laptops used for teleworking
- In the various databases present in the company information system
- On servers in the server room
- In the cloud sections (present at remote providers)
The occasions in which to proceed with the decryption
The decryption of protected files or in general of protected information is a controlled operation and that is supervised since it allows authorized users to access the contents in clear text.
The information and support must therefore take place on the occasion of the need for unencrypted access for work reasons in a manner supervised by top management and the RGSI, with the support of the appropriate technical staff.
The company, where deemed necessary, must establish:
- The contents to be made clear
- The occasion of decryption
- The person responsible for the decryption operation
- The way in which the decryption is carried out
The availability of the data corresponds to the availability of the key to decrypt
The risk of losing the decryption key can be incalculable in the company. The files would remain encrypted forever, and would be totally lost.
Keys must be made available to authorized parties to access the plain text. Thus, the keys must be hidden and selected with due care. The “Key Recovery” is the method adopted by the organization for the recovery of cryptographic information.
