Cryptography Policy

PURPOSE

Cryptography is the practice of securing information and communications through the use of codes, ensuring that only those for whom the information is intended can understand and process it. This prevents unauthorised access to information.

The purpose of this policy is to ensure the proper use and management of cryptographic controls to protect the confidentiality, integrity, and availability of sensitive information within the organisation. This policy outlines requirements for encryption, key management, and related security measures for use in storing, transmitting and communicating data through digital means, including programmatically.

SCOPE

This policy applies to all employees, contractors, and third-party entities who access, process, or store the data managed by HIC. It covers all systems, applications, and devices that utilise cryptographic techniques for data protection.

RESPONSIBILITIES

POLICY

1. Usage Guidelines

• Use cryptography as applicable, for example for purposes such as protecting sensitive data, authenticating users, and ensuring data integrity.

• Use standard libraries wherever possible. Do not attempt to implement custom cryptographic algorithms unless absolutely necessary and approved by the HIC Change Management process.

• Secure all communications involving sensitive information using approved encryption protocols.

2. Encryption Standards

• Sensitive data must be encrypted in transit.

• Encryption at rest or additional security boundaries are always in place for sensitive data.

• Encryption methods must comply with industry standards such as AES (Advanced Encryption Standard).

• To ensure privacy, data integrity, and authentication between two communicating applications / data in transit an appropriate cryptographic protocol designed to provide secure communication over a computer network such as TLS (Transport Layer Security) version 1.2 or higher must be used.

3. Hashing Standards

• Hashing is a one-way mathematical function that turns data into a string of nondescript text that cannot be reversed or decoded. In the context of cybersecurity, and this policy, hashing is a way to keep sensitive information and data, such as passwords, messages, and documents, secure.

• Hashing is used where applicable (e.g. for storing passwords in web applications) and will use industry standards such as SHA256.

4. Key Management

• In cryptography, a key is a string of characters used within an encryption algorithm for altering data so that it appears random. Like a physical key, it locks (encrypts) data so that only those with the right key can unlock (decrypt) it.

• Cryptographic keys must be generated, stored, distributed, and retired securely.

• Keys must never be embedded within application code, and must not be committed to version control systems.

• Access to cryptographic keys must be restricted to authorised personnel only.

• In order to limit the use of cryptographic keys by natural persons, HIC utilise programmatic access. This access is carried out within software on non-user systems to routinely retrieve secure data with no human intervention.

• When keys expire, there use will be reviewed and the key replaced as needed.

• Compromised or suspected compromised keys must be revoked and replaced immediately. This will also be raised as a HIC internal incident.

5. Compliance and Monitoring

• Any non-compliance or identified vulnerabilities must be reported to a Line Manager to be actioned via HIC’s incident management process.

• Cryptographic systems and practices must undergo periodic reviews and updates to address emerging threats and changes in technology.

APPLICABLE REFERENCES

• Information Security Policy

• Acceptable Use Policy

DOCUMENT CONTROLS

Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.