This defines when, where and how cryptography is used in our organization, and how key management is done.
Technical staff is responsible for implementing the policy.
Following the Information classification policy, encryption must be used to protect information classified as Confidential or Sensitive, at rest or in motion.
- The maximum duration for all certificates (signing, SSL/TLS) is 1 year
- The use of wildcard certificates is not allowed
- All certificates should have a key length of at least 2048 bits
- Certificates should be configured to be automatically renewed
- Encryption keys (e.g. for encryption of backups or workstations) should be stored centrally
- All public facing web sites are scanned each quarter using ssllabs.com, a score of "A" is considered minimum
- All email domains are scanned each quarter using mxtoolbox.com or internet.nl, critical problems must be resolved
Updated 8 months ago