• Cryptography
  • Metadata
  • Use the best reasonably available cipher strength and key length
  • Use current standard open-source and vendor cryptographic methods and implementations
  • Encrypt all data at rest
  • Encrypt all data in transit
  • Manage cryptographic keys
  • Use certificates to authenticate keys
  • Legal compliance
  • Enforcement
  • References

Cryptography

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31

Use the best reasonably available cipher strength and key length

• AES-256 cipher
• 2048-bit keys

Use current standard open-source and vendor cryptographic methods and implementations

• Follow independent expert guidance from standards organizations and academia.
• Update protocols and configurations when older versions are found to be insecure.

Code	Section	Title
OWASP	Cryptographic Storage Cheat Sheet	Algorithms
OWASP	Cryptographic Storage Cheat Sheet	Custom Algorithms

Encrypt all data at rest

• Encrypt data at rest using
  • For devices: the official vendor or standard open-source method (e.g. FileVault, dm-crypt and LUKS)
  • For infrastructure: a method provided by the cloud provider (e.g; full disk encryption, server-side encryption, storage encryption)

Encrypt all data in transit

• Encrypt data during transmission over all networks (public and private)
• Encrypt HTTPS/TLS connections using strong cryptography as defined by PCI DSS

Code	Section	Title
PCI-DSS	Requirement 4	Encrypt transmission of cardholder data across open, public networks
HIPAA	164.312(e)(1)	Standard: Transmission security
HIPAA	164.312(e)(2)(i)	Integrity controls (Addressable)
HIPAA	164.312(e)(2)(ii)	Encryption (Addressable)

Manage cryptographic keys

• Automate the entire key lifecycle
  • Centrally manage the distribution of keys.
  • Automate generating, storing, archiving, retrieving, distributing, retiring and destroying keys.
• Protect keys
  • against modification or loss
  • for private keys, against unauthorized use and disclosure
• Rotate keys when
  • a suspected breach occurs
  • an entity with access to the key must have its access removed

Code	Section	Title
ISO	A.10.1.2	Key management
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Use certificates to authenticate keys

• Protect endpoints with certificates.
• Use commonly accepted and independently trusted signing authorities for all public endpoint certificates.

Legal compliance

• Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Code	Section	Title
ISO	A.18.1.5	Regulation of cryptographic controls

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.10.1	Cryptographic controls
ISO	A.10.1.1	Policy on the use of cryptographic controls
HIPAA	164.312(a)(2)(iv)	Encryption and decryption (Addressable)
SOC2	CC6.1	The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

August 30, 2022

Powered by