Cryptographic Control Policy (A.10.1.1)
- All systems requiring authentication should make use of strong passwords as part of the authentication process in accordance with the Password Management Policy.
- Systems using cryptography should use industry standard secure algorithms as noted herein.
- Where applicable, any and all legislative or regulatory mandates relative to Breezy cryptographic controls will be adhered to by employing Threat and Risk Assessment followed by proper Change Management Policy procedures.
- Data stored or transmitted should be encrypted at rest and in transit.
Breezy’s Cryptographic Control Policy shall include the following:
- All information assets (data) either owned by Breezy or entrusted to Breezy by a client under an agreement that specifically details Breezy’s data responsibility
- Information assets held, processed, or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings
Do not write your own encryption implementation. Always use industry standard encryption methods known to be secure.
Scoped assets with HTTPS servers must be configured so:
- TLS protocols available are in the Acceptable SSL list below
- TLS cipher suites available are in the acceptable cipher suites list below
- When possible, the server will prefer to negotiate with the preferred protocol and preferred cipher suites in the lists below
Encryption at Rest
All encryption at rest will use AES-128 encryption or better. Keys for encryption at rest will be maintained inside Amazon Web Services Key Management System.
Applications developed by Breezy will use one of the following cryptographic methods when handling sensitive data:
- Bcrypt or better, when storing passwords in a database
- MD5 or better when creating one-way hashes to anonymize data
- AES-128 or better when encrypting data with an appropriate mode of operation
- TLS keys (used for HTTPS) for certificates issued through Amazon Certificate Manager by Breezy will be rotated on an annual basis.
- TLS keys for certificates issued by a 3rd party customer will be rotated at least every three years.
- Keys used for encryption at rest in Amazon Web Services Key Management System will be rotated every year (for Breezy-managed keys (“CMKs”)) or every three years (for Amazon-managed keys).
- Keys used for application-level cryptography will be rotated at least every three years.
- The Information Security Manager is responsible for ensuring the Cryptographic Controls listed in this document afford company assets adequate protection.
- Asset owners are responsible for ensuring their information assets adhere to the Cryptographic Controls listed in this document.