Monday, June 3, 2019

Acceptable Encryption Policy

Acceptable Encryption insuranceIntroductionThe purpose of this insurance indemnity is to supply with the general principles that limit the use of encryption to those algorithms that have received considerable public review and have been proven to work effectively.ScopeThis policy applies to all Staysure.co.uk employees and affiliates. insurance policyIt is strongly recommended to use the Advanced Encryption Standard (AES) for symmetric encryption.It is strongly recommended to use the RSA and Elliptic Curve Cryptography (ECC) algorithms for asymmetric encryption.In general, Staysure company adheres to the NIST Policy on Hash Functions.Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH) Key exchanges moldiness be used.End points must(prenominal) be authenticated in the first place exchanging the key or derivation of session keys.Public keys used to establish trust must be authenticated prior to use.All servers and diligences employ SSL or TLS must have the certificates s igned by a known, trusted provider.Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or agree.This Policy must be verified and accepted by the Infosec team through different methods.Any employee found to have violeted this policy result be dealt with in accordance to Staysure disciplinary procedures. This may lead to a landmark of employment for employees and termination of contract for service providers.Database Credentials Coding PolicyIntroductionFor an application to connect to the internal database it is necessary to authorize through the database certification credentials. But incorrect use, storage and transmission of such credentials will lead to compromise of very sensitive data.ScopeThis policy is for all system implementer and software engineers who work on coding applications that will access database server on the Staysure Network.PolicyTo maintain the security of Staysures internal databases, access by software programs m ust be granted only after authentication with credentials.The credentials used for this authentication must not reside in the main, executing body of the program.Database credentials must not be stored in a location that can be accessed through a net server.Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authenticationDatabase credentials may not reside in the documents tree of a web server.Passwords or pass phrases used to access a database must adhere to the Password Policy.Every program must have unique database credentials. Sharing of credentials between programs is not allowed.Developer groups must have a impact in place to ensure that database passwords are controlled and changed in accordance with the Password PolicyThis Policy must be verified and accepted by the Infosec team through different methods.Any employee found to have violeted this policy will be dealt with in accordanc e to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.Any program code or application that violates this policy must be remediated within a 90 day periodWeb Application Security PolicyIntroductionThe largest portion of attack vectors outside the malware is accounted by the Web applications. It is necessary that any web application prior to production deployment should be assessed for vulnerabilities.ScopeThis policy is for assessments of all web applications for maintaining the security posture, compliance, risk management, and change control of technologies in use at Staysure.co.ukPolicyNew Application Releasewill be subject to a full assessment prior to release into the live environment.Third Party Web Applicationwill be subject to full assessment after which it will be bound to policy requirements.Patch Releaseswill be subject to an appropriate assessment level ground on the risk of the changes to the application functionality and architecture.Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment.A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing GuideA quick assessment will consist of a (typically) automated behold of an application for the OWASP Top Ten web application security risks at a minimum.A targeted assessment is performed to verify vulnerability remediation changes or unexampled application functionality.This Policy must be verified and accepted by the Infosec team through different methods.Any employee found to have violeted this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.