The Netspective Communications LLC implements the Key Management Policy, which comprises procedures for the secure management of cryptographic keys. The policy aims to protect sensitive information and ensure the confidentiality, integrity, and availability of data.
The Netspective Communications LLC Data Classification Policy and the Information Security Policy require the use of cryptography. The Netspective Communications LLC must: [FII-SCF-008-CRY-09]
- Protect the confidentiality of sensitive information or information subject to legal and regulatory encryption requirements.
- Determine if critical information has been altered by performing hash functions or digitally signing.
- Provide strong authentication for users of applications and information systems by using digital certificates and smartcards.
- Enable the proof of the identity of the originator of critical transactions or communications through the use of digital signatures for non-repudiation.
When selecting and implementing a cryptographic solution, it is essential to consider the legal aspects of using encryption. This process should include:
- Identifying legal obligations in relevant jurisdictions.
- Assessing the risks associated with using cryptographic solutions, including legal risks.
- Selecting a suitable cryptographic solution that meets legal, regulatory, and industry standards.
Accountable and responsible parties in Digital must have resources and processes in place to manage cryptographic solutions, which include:
- Executive management approving the use of cryptographic solutions.
- Assigning responsibilities for cryptographic solutions.
- Addressing conflicting laws and regulations concerning the use of cryptographic solutions in different jurisdictions, such as obtaining advice from the legal function.
- Ensuring that cryptographic solutions are kept up to date.
Relevant business managers and IT specialists must have access to:
- Expert technical and legal advice regarding the use of cryptography.
- A list of approved cryptographic solutions.
- An up-to-date register of cryptographic solutions.
- All personnel authorized for Netspective Communications LLC Crypto must receive training relevant to their role and must complete the required authorization certificate before performing their duties.
- Records of specific Crypto Training and appropriate certifications for all authorized personnel must be maintained and made available for regular audits.
- Any Crypto Authorized person on the Netspective Communications LLC account who violates or attempts to violate this policy, its associated standards, or procedures may face removal from the Netspective Communications LLC’s account, and appropriate disciplinary measures may be applied.
The Netspective Communications LLC must maintain a register of approved cryptographic solutions, which:
- Specifies the intended use of encryption within the Netspective Communications LLC.
- Provides details about the locations where cryptographic solutions are applied.
- Includes information regarding the licensing requirements for using cryptographic solutions.
- Is accessible to relevant business managers, IT and data specialists, as well as authorized external parties such as regulatory authorities and law enforcement.
The Netspective Communications LLC must deploy a robust, well-managed, and governed Public Key and Trust Infrastructure (PKI) for public/private cryptography, such as SSL and TLS.
The Netspective Communications LLC must support the PKI with:
- Establishing a certificate policy that defines the rules for issuing, using, and relying upon certificates.
- Creating Certification Practice Statements (CPS) for each type of digital certificate issued by a Certification Authority (CA). The CPS provides a summary of the detailed processes and procedures employed by the CA, outlining the implementation of the rules specified in the Certificate Policy and the subsequent technical, procedural, and administrative controls.
In compliance with the Certificate Policy, a Netspective Communications LLC certificate deployment must provide security management services that include:
- Generating, storing, and maintaining keys/certificates and keeping an inventory.
- Modifying and distributing certificates.
- Generating and distributing Certificate Revocation Lists (CRL).
- Managing directory-related items pertaining to certificates.
- Performing system management functions such as configuration management and archival.