Cryptographic standard

Introduction


The purpose of this standard is to provide guidance that limits the use of encryption to those algorithms and ciphers that have received substantial public review and have been proven to work effectively. 



Environment and code management


  • Ciphers in use meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption. 

  • Algorithms in use meet the standards defined for use in NIST publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption. 

  • Each cryptographic key has a key strength associated with it that can provide adequate protection for the entire useful lifetime of the protected data along with the ability to withstand attacks during this lifetime 

  • When choosing an appropriate hash or cryptographic algorithm block cipher higher bit sizes is preferred. 

  • Only salted password hashes are used. 

  • Hardware cryptographic devices are certified to Security Level 2+, as defined in the FIPS publication 140-2 on Security Requirements for Cryptographic Modules 

  • Cryptographic systems are designed to fail closed 



Design & documentation


  • When required, key escrow methodologies are fully documented prior to production implementation of cryptographic systems.  

  • On an ongoing basis, information related to cryptographic weaknesses and attacks are analysed and recommendations are provided by Security teams. 

  • Key expiry dates are documented as part of a new key creation process. 



Data protection & information security


  • All servers and applications using Transport Layer Security (TLS) have the certificates signed by a known, trusted certificate provider. 

  • Public endpoints are secured with TLS 1.3 or if not possible TLS 1.2 with a short but diverse list of selected cipher suites.  

  • Digital certificates used by Altus Group MUST be X509 version 3 certificates issued (signed) by an Altus Group approved Certificate Authority (CA) 



Key management


Prior to any new cryptography implementation, the key life cycle phase during which keys are managed are identified and documented.  

  • Key management processes for all hard and soft keys are developed and maintained for all steps of the key management life cycle. 

  • Processes are designed to prevent key substitution. 

  • Keys are never shared or moved between production and non-production systems or environments.


Trust Center quick links
Access controlAssurance standardChange managementCorporate governanceCryptographic standardHR securityIncident response planMobile devices and laptopsNetwork securityPhysical and environmental securityRisk managementSecure development