Acceptable Encryption Policy

Acceptable Encryption polityIntroductionThe purpose of this insurance is to come forth with the general principles that limit the use of encryption to those algorithms that have received hefty public review and have been proven to work effectively.ScopeThis policy applies to all Staysure.co.uk employees and affiliates.PolicyIt is strongly recommended to use the Advanced Encryption stock(a) (AES) for symmetric encryption.It is strongly recommended to use the RSA and unsubdivided Curve Cryptography (ECC) algorithms for unsymmetrical encryption.In general, Staysure company adheres to the NIST Policy on Hash Functions.Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH) Key ex tilts must(prenominal)(prenominal) be used.End points must be authenticated in the beginning exchanging the key or derivation of session keys. worldly concern keys used to establish trust must be authenticated earlier to use.All servers and activity programs using SSL or TLS must have the certifi cates signed by a known, trusted provider.Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or agree.This Policy must be corroborate and accepted by the Infosec team up through different methods. each employee set up to have violeted this policy give be dealt with in union to Staysure disciplinary procedures. This whitethorn lead to a final result of employment for employees and termination of squeeze for service providers.Database Credentials Coding PolicyIntroductionFor an application to unify to the internal database it is necessary to authorize through the database authentication credential. But awry(p) use, storage and transmission of much(prenominal) certificate will lead to compromise of very sensitive data.ScopeThis policy is for all system implementer and package engineers who work on coding applications that will access database server on the Staysure Network.PolicyTo maintain the security of Staysures internal dat abases, access by bundle programs must be granted only after authentication with certificate.The credentials used for this authentication must not reside in the main, implementation body of the program.Database credentials must not be stored in a location that can be accessed through a web server.Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authenticationDatabase credentials may not reside in the documents tree of a web server. countersigns or pass phrases used to access a database must adhere to the Password Policy.Every program must have unique database credentials. Sharing of credentials between programs is not allowed.Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password PolicyThis Policy must be verified and accepted by the Infosec team through different methods.Any employee found to have violet ed this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.Any program code or application that violates this policy must be remediated deep down a 90 day period meshing act security department PolicyIntroductionThe largest portion of attack vectors outside the malware is accounted by the Web applications. It is necessary that any web application prior to production deployment should be assessed for vulnerabilities.ScopeThis policy is for assessments of all web applications for maintaining the security posture, compliance, risk management, and change control of technologies in use at Staysure.co.ukPolicyNew Application Releasewill be subject to a sound assessment prior to unload into the live environment.Third Party Web Applicationwill be subject to full assessment after which it will be bound to policy requirements. fix Releaseswill be subject to an appropriate assessment level based on the risk of the changes to the application functionality and architecture.Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment.A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP examination GuideA quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.A targeted assessment is performed to verify pic remediation changes or new application functionality.This Policy must be verified and accepted by the Infosec team through different methods.Any employee found to have violeted this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.