Cryptography Policy

Cryptographic Controls

Policy on Use of Cryptographic Controls

The Security Leader, Security Architect or similar role is responsible for:

• Establishing the policy on the use of cryptographic controls
• Approving key lifecycle management standards and processes
• Authorizing the use of cryptographic controls
• Ensuring compliance with legal and regulatory requirements within jurisdictions in which KX operates (in conjunction with the KX Information Security & Compliance leader)
• Maintaining an inventory of applications approved for use with cryptography
• Providing technical advice on the use of cryptography

Information Owners and Information Custodians (Product level security and compliance) are responsible for:

• Defining business and security requirements for cryptographic controls in the development or acquisition phase of information systems
• Ensuring information and information systems are protected commensurate with their classification and value
• Obtaining approval for the use of cryptographic controls by the Security Architect
• Registering the use of approved cryptographic products and services with the Security Architect
• Documenting the use of cryptographic controls in information systems

Encryption – Standards

Information Owners must implement cryptographic controls that are based on approved standard algorithms which have been approved for use, such as the Advanced Encryption Standard (AES).

Encryption of Data on All Networks

Information transmitted over all networks, including wireless networks and in Cloud environments, must be encrypted when there are confidentiality, integrity, non-repudiation and authentication requirements.

Encryption of Data on Internal Networks

All customer, employee and financial information, such as account numbers, names, addresses, phone numbers, banking information, credit card, consignment details, and invoice details should NOT be transmitted in clear text over the KX internal network.

Encryption of Data at Rest

All regulated data must be encrypted at rest (including Back Up data).  Regulated data includes many data elements, including all data subject to control under the PCI-DSS, HIPAA and GDPR.

Key Lifecycle Management

The Security Architect is responsible for approving key lifecycle management standards and processes.

The key lifecycle management infrastructure must support:

• The secure enrollment of Information Users and devices
• The secure distribution of cryptographic material
• The secure storage of digital certificates
• The secure backup of digital certificates
• Automated digital certificate renewal
• Automated revocation of digital certificates
• Recovery of digital certificates that are lost or corrupted
• Management of cryptographic key history