Page 50 - Ipsos
P. 50

Information Classification: Internal Use
                                                                      Ipsos Book of Policies & Procedures

                   -  Unauthorized altering of the information’s integrity
                   -  Unavailability, if necessary (ex: http://www.ipsos.com – the Ipsos website should be available
                      on the web 24/7)


                         5.4    Encryption Key Management



                   5.4.1  Scope
                          All internal and strictly confidential data as per the Ipsos Information Management Policy
                          requires encryption. This can mean the installation of Whole Disk Encryption for PC’s, file
                          and folder encryption for files and removable media, the use of SFTP or HTTPS for
                          online transfers of data. This can also mean the use of column based, or DB wide
                          encryption for databases.
                          Information Asset Owners are responsible for ensuring that all the information in their
                          possession is encrypted if their data is in scope based on Ipsos’ data handling policy, or
                          by client/legal/industry required guidelines, as found in any binding contract, Statement of
                          Work (SOW), Master Services Agreement (MSA), industry regulation or local legislation.
                   5.4.2  Key owners

                          Encryption keys are kept by individual Asset Owners who are requiring the encryption
                          provided by the keys. Owners of these encryption keys are required to maintain the keys
                          according to the guidelines given below.
                   5.4.3  Algorithms and key size

                          Only industry standard algorithms should be used. Algorithms with known flaws, which
                          are out of date or otherwise known to be ineffectual at data protection, should never be
                          used.

                          Transport Layer Security (TLS) should always be used in favor of Secure Sockets Layer
                          (SSL). SSL should be replaced with TLS where possible.

                          Key sizes of 256 are preferred; key sizes should never go below 128.
                   5.4.4  Maintenance guidelines

                          Encryptions keys are considered Strictly Confidential Data – and should be protected as
                          per the Ipsos Information Management Policy.

                          Encryption keys should always be encrypted at rest, and access should be limited based
                          on a principle of least access.

                          No less than two people should have access to encryption keys for continuity purposes.
                          Asset Owners should catalog all key use.
                          All keys should be renewed annually; this renewal should be undertaken by the Asset
                          Owner and signed off as completed sufficiently by information security after it is
                          completed. This should be done via Ipsos change management.





                                                   Page 10 of 22
   45   46   47   48   49   50   51   52   53   54   55