Time
2 hours 23 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:02
Hello and welcome to I t. Security Policy Training on sire Eri. This is part of macho to the encryption and decryption policy with myself. Troy Lemaire
00:12
Learning objective for this policy would be to define algorithm requirements,
00:17
ash function requirements,
00:19
agreement and authentication requirements
00:22
and key generation requirements.
00:26
Now, if we look into the actual body of the policy and what it entails, we're gonna use another Sands template, this templates called except the encryption policy that covers everything you need for encryption and decryption.
00:39
So I'm looking at the purpose. It's provide guidance that limits the use of encryption of those algorithms that received substantial public review and have been proven to work effectively.
00:48
Now, whenever you're talking about encryption algorithms, these things change over time, stronger policies or stronger algorithms will come out.
00:57
And then, of course, weaker algorithms will get cracked and are no longer acceptable to use inside of an encryption policy.
01:07
Scope of this policy applies to all employees and affiliates.
01:11
We look at the body of it. The policy algorithm requirements
01:15
talks about the use in meeting or exceeding
01:19
as the set defined in A s compatible or partially A s compatible, according to I t f
01:25
flash I r T F cipher catalog are defined
01:27
Bye
01:29
nous, which is the National Institute of Standards and Technologies
01:34
Algorithms must meet the standards to find in for use in this publication F I. P s 1 40-2 are any so proceeding documents again. This updates their publications with the latest information in regards to algorithms.
01:51
Signature algorithms that you can use and are acceptable are listed here, and these again can be updated as you need
02:00
regards the hash function requirements. The company is gonna adhere to this policy on hash functions, which again is something that gets updated
02:07
by the NIST organization.
02:10
Your key agreements and authentication. Key exchange must use one of the following cryptographic protocols
02:17
and the ones listed here or again, items that can be updated. So you want to check with the Knicks? Policies for key agreements
02:25
in point must be authenticated product of exchange, our deprivation of session keys
02:30
and public. He's used to solace. Trust must be authenticated prior to use examples all authentication clue transmission being cryptic. Graphically sign messages are manual verification of the public key hash
02:43
all servers used for authentication such as radius or tax must have installed a valid certificate signed by known trusted provider
02:51
All service an application using S S L R T L s must have the ship get signed by known trusted provider.
02:58
Now again, SSL is something that has been outdated. U T l s has surgeons that are outdated, such as T. L s 1.1 and
03:07
things like that. So you want to make sure that you're using the latest SSL
03:12
RTL s, which again you shouldn't be using SSL at this point. But if you are, you'd want to make sure that you're using the latest version of SSL two. You can upgrade to T l s or whatever. It's gonna be the
03:22
latest technology that is available
03:25
Degeneration Cryptographic keys must be generated in store in secure manager that presents lost
03:30
deaf or compromise.
03:34
Key generation must be seated about industry standard random number, generator
03:38
and again list the example A mist
03:40
appendix here that approved random number generators
03:46
looking at policy compliance. The compliance measurement, if we'll see, is gonna verify compliance to this policy to various methods
03:53
looting but not limited to business to reports internal external audits and feedback to the policy owner.
04:00
Exceptions and exceptions can be approved by the Info SEC team, but they need to be done in advance
04:05
and then it's always not compliance.
04:08
Employees found that violated this policy may be subject to disciplinary action up to including termination of employment.
04:17
So in some rain, today's reflector recovered how to define algorithm requirements, the hash function requirements, key agreements and authentication requirements and key generation requirements.
04:28
All of the things that we listed from this policy would want to work in conjunction with your system administrators who are handling the different types of certificates and encryption, as well as any D b. A's for your databases or development team that does any type of development. They will be able to give you good input on all of these items to make sure that
04:46
you have the right information inside your policy
04:49
that matches up with what you're actually doing in the organization.
04:56
So as a recap question, What are two organizations where you can find ciphers that defined that you need to meet or exceed
05:02
and that is the i e t f slash I or TF cipher catalog
05:08
or the NIST encryption publications
05:13
and cryptographic keys must be generating stored in a secure manner to present prevent what three things from a curry
05:19
and that would be lost
05:21
left our compromise.
05:26
Looking forward in the next lecture, we're gonna look at another general policy, which is the malicious software policy.
05:32
You have any questions for clarification Again? Cyberia message. My user name is that Troy Lemaire and thank you for attending this module
05:40
on Cyber Eri.

Up Next

Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By

Instructor Profile Image
Troy LeMaire
IT Security Officer at Acadian Ambulance
Instructor