Encryption Standards and Why It Matters
Our Objective:
Help your instituttion describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA).
Encryption is a foundational defense against many different risk scenarios ranging from communications eavesdropping to data breach and theft to access control of critical data. As such, institutions should develop policies and standards to help define the appropriate secure use of encryption and related key management methods. Decide where will you store encryption keys securely. For enterprise institutions, key management quickly becomes complex and difficult to manage and central key storage is likely the best option. Dictate strong access and auditing policies for this storage so only authorized individuals can access keys. Ensure a limited amount of trusted administrators (but no fewer than two) can access this location so that only one person does not hold the keys. For critical encryption keys, consider escrowing them in a physically secure location in the event of database failure and backup failure.
Trusted Platform Modules (TPM) used for storing encryption keys is one example of a secure key management technique on client machines.