Cryptographic Control Policy (A.18.1.5)

Objectives

  • All systems requiring authentication should make use of good passwords as part of the authentication process.
  • Systems using cryptography should use industry standard secure algorithms.
  • Where applicable, any and all legislative or regulatory mandates, relative to Breezy cryptographic controls will be adhered by employing Threat and Risk Assessment followed by proper Change Management Policy procedures.  
  • Data stored or transmitted should be encrypted at rest and in transit.

Scope

Breezy’s Cryptographic Control Policy shall include the following:

  • All information assets (data) either owned by Breezy or entrusted to Breezy by a client under an agreement which specifically details Breezy’s data responsibility
  • Information assets held, processed or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings

Policy

General Requirements

Do not write your own encryption implementation. Always use industry standard encryption methods known to be secure.

HTTPS

Scoped assets with HTTPS servers must be configured so:

  • TLS protocols available are in the Acceptable SSL list below
  • TLS ciphersuites available are in the Acceptable Ciphersuites list below
  • When possible, the server will prefer to negotiate with the Preferred protocol and Preferred ciphersuites in the lists below

Acceptable SSL

  • TLSv1.1
  • TLSv1.2

Preferred SSL

  • TLSv1.2

Acceptable Ciphersuites

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-CBC-SHA
  • ECDHE-ECDSA-AES256-CBC-SHA
  • ECDHE-RSA-CHACHA20-POLY1305-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA

Preferred Ciphersuites

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
  • ECDHE-RSA-CHACHA20-POLY1305-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384

Encryption at Rest

All encryption at rest will use AES-128 encryption or better. Keys for encryption at rest will be maintained inside Amazon Web Services Key Management System.

Application-Level Cryptography

Applications developed by Breezy will use one of the following cryptographic methods when handling sensitive data:

  • Bcrypt or better, when storing passwords in a database
  • MD5 or better when creating one way hashes to anonymize data
  • AES-128 or better when encrypting data with an appropriate mode of operation

Key Rotation

  • TLS keys (used for HTTPS) for certificates issued through Amazon Certificate Manager by Breezy will be rotated on an annual basis.
  • TLS keys for certificates issued by a 3rd party customer will be rotated at least every three years.
  • Keys used for encryption at rest in Amazon Web Services Key Management System will be rotated every year (for Breezy-managed keys (“CMKs”)) or every three years (for Amazon-managed keys).
  • Keys used for application-level cryptography will be rotated at least every three years.

Responsibilities

  • The Information Security Manager is responsible for ensuring the Cryptographic Controls listed in this document afford company assets adequate protection.
  • Asset owners are responsible for ensuring their information assets adhere to the Cryptographic Controls listed in this document