Hello and welcome to I t. Security Policy Training on sire Eri. This is part of macho to the encryption and decryption policy with myself. Troy Lemaire
Learning objective for this policy would be to define algorithm requirements,
ash function requirements,
agreement and authentication requirements
and key generation requirements.
Now, if we look into the actual body of the policy and what it entails, we're gonna use another Sands template, this templates called except the encryption policy that covers everything you need for encryption and decryption.
So I'm looking at the purpose. It's provide guidance that limits the use of encryption of those algorithms that received substantial public review and have been proven to work effectively.
Now, whenever you're talking about encryption algorithms, these things change over time, stronger policies or stronger algorithms will come out.
And then, of course, weaker algorithms will get cracked and are no longer acceptable to use inside of an encryption policy.
Scope of this policy applies to all employees and affiliates.
We look at the body of it. The policy algorithm requirements
talks about the use in meeting or exceeding
as the set defined in A s compatible or partially A s compatible, according to I t f
flash I r T F cipher catalog are defined
nous, which is the National Institute of Standards and Technologies
Algorithms must meet the standards to find in for use in this publication F I. P s 1 40-2 are any so proceeding documents again. This updates their publications with the latest information in regards to algorithms.
Signature algorithms that you can use and are acceptable are listed here, and these again can be updated as you need
regards the hash function requirements. The company is gonna adhere to this policy on hash functions, which again is something that gets updated
by the NIST organization.
Your key agreements and authentication. Key exchange must use one of the following cryptographic protocols
and the ones listed here or again, items that can be updated. So you want to check with the Knicks? Policies for key agreements
in point must be authenticated product of exchange, our deprivation of session keys
and public. He's used to solace. Trust must be authenticated prior to use examples all authentication clue transmission being cryptic. Graphically sign messages are manual verification of the public key hash
all servers used for authentication such as radius or tax must have installed a valid certificate signed by known trusted provider
All service an application using S S L R T L s must have the ship get signed by known trusted provider.
Now again, SSL is something that has been outdated. U T l s has surgeons that are outdated, such as T. L s 1.1 and
things like that. So you want to make sure that you're using the latest SSL
RTL s, which again you shouldn't be using SSL at this point. But if you are, you'd want to make sure that you're using the latest version of SSL two. You can upgrade to T l s or whatever. It's gonna be the
latest technology that is available
Degeneration Cryptographic keys must be generated in store in secure manager that presents lost
Key generation must be seated about industry standard random number, generator
and again list the example A mist
appendix here that approved random number generators
looking at policy compliance. The compliance measurement, if we'll see, is gonna verify compliance to this policy to various methods
looting but not limited to business to reports internal external audits and feedback to the policy owner.
Exceptions and exceptions can be approved by the Info SEC team, but they need to be done in advance
and then it's always not compliance.
Employees found that violated this policy may be subject to disciplinary action up to including termination of employment.
So in some rain, today's reflector recovered how to define algorithm requirements, the hash function requirements, key agreements and authentication requirements and key generation requirements.
All of the things that we listed from this policy would want to work in conjunction with your system administrators who are handling the different types of certificates and encryption, as well as any D b. A's for your databases or development team that does any type of development. They will be able to give you good input on all of these items to make sure that
you have the right information inside your policy
that matches up with what you're actually doing in the organization.
So as a recap question, What are two organizations where you can find ciphers that defined that you need to meet or exceed
and that is the i e t f slash I or TF cipher catalog
or the NIST encryption publications
and cryptographic keys must be generating stored in a secure manner to present prevent what three things from a curry
and that would be lost
left our compromise.
Looking forward in the next lecture, we're gonna look at another general policy, which is the malicious software policy.
You have any questions for clarification Again? Cyberia message. My user name is that Troy Lemaire and thank you for attending this module