ISO 27001 Annex A: A.10.1.1, A.10.1.2, A.14.1.2, A.18.1.5
Keywords: Encryption key management
This policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity, and nonrepudiation of information.
This policy applies to all systems, equipment, facilities and information within the scope of Userflow’s information security program. All employees, contractors, part-time, and temporary workers, service providers, and those employed by others to perform work on behalf of the organization having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with it.
This policy defines the high level objectives and implementation instructions for Userflow’s use of cryptographic algorithms and keys. It is vital that the organization adopt a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in cloud environments.
The acting information security officer and team will facilitate and maintain this policy and ensure all employees have reviewed and read the policy.
Cryptography Controls
Userflow must protect individual systems or information by means of cryptographic controls as defined in Table 3:
Table 3: Cryptographic Controls
When required, customers of Userflow’s cloud-based software platform offering must be able to obtain information regarding:
The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work. Encryption must not be used to violate any laws or regulations including import/export restrictions. The encryption used by Userflow conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
Except where otherwise stated, keys must be managed by their owners. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
All key management must be performed using software that automatically manages key generation, access control, secure storage, backup and rotation of keys. Specifically:
Keys used for secret key encryption (symmetric cryptography), must be protected as they are distributed to all parties that will use them.
Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.
Public key cryptography (asymmetric cryptography), uses public-private key pairs. The public key is passed to the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key should only be available to the end user to whom the corresponding digital certificate is issued.
Userflow’s Public Key Infrastructure (PKI)
Other Public Key
Other types of keys may be generated in software on the end user’s computer and can be stored as files on the hard drive or on a hardware token. If the public-private key pair is generated on smartcard, the requirements for protecting the private keys are the same as those for private keys associated with Userflow PKI.
Commercial/Outside Organization Public Key Infrastructure (PKI)
In working with business partners, the relationship may require the end users to use public-private key pairs that are generated in software on the end user’s computer. In these cases:
PGP Key Pairs
If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token, for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for every use of the private keys in the secret key ring.
Hardware tokens storing encryption keys will be treated as sensitive company equipment, as described in Userflow’s Physical Security Policy, when outside company offices.
All PINs, passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in Userflow’s Password Policy.
The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately.