Encryption Key Management Policy

Policy date:  
9/8/2024

 WebPeak Encryption Key Management Policy   

Introduction  

WebPeak recognizes that encryption is an essential component in protecting the confidentiality, integrity and availability of sensitive information. The effectiveness of encryption depends on the security of the encryption keys used. This policy defines the guidelines and procedures for the secure management of encryption keys, ensuring that they are generated, distributed, stored, rotated and disposed of in a secure manner and in accordance with best practices and international standards, including ISO 27001.

Objective  

The aim of this policy is to ensure effective protection of the encryption keys used by WebPeak, minimizing the risk of compromise and ensuring that encrypted information remains secure. The policy aims to provide a framework for managing encryption keys at all stages of their lifecycle.

Scope  

This policy applies to all encryption keys used by WebPeak, including, but not limited to:

  • Symmetric and asymmetric encryption keys.
  • Digital certificates and their private keys.
  • Keys used to protect data at rest, data in transit and data in use.
  • Keys used in cloud encryption services managed by WebPeak.

 

Key Management Guidelines  

Key generation  

Encryption keys must be generated using cryptographically secure methods in accordance with internationally recognized standards. WebPeak will use key generation algorithms that guarantee the randomness and robustness required to protect sensitive information.

Key storage  

All encryption keys must be stored securely, using hardware security modules (HSMs) or other approved secure storage solutions. Keys should never be stored in plain text or in unsecured locations, such as configuration files or unprotected databases.

Key distribution  

The distribution of encryption keys must be carried out in a secure manner, ensuring that keys are only transferred to authorized recipients. Secure methods, such as the use of encrypted channels and multi-factor authentication, must be employed to protect key distribution.

Key rotation  

Encryption keys must be rotated periodically to mitigate the risk of compromise. WebPeak will define a key rotation frequency based on the sensitivity of the protected data and best security practices. Compromised or suspected compromised keys must be replaced immediately.

Key backup  

Backups of encryption keys must be carried out regularly and stored in secure locations, separate from data backups. These backups must be protected by encryption and accessible only to authorized personnel. It is essential to ensure that key backups are recoverable in the event of loss or failure.

Key disposal  

Encryption keys that are no longer required or have been replaced must be destroyed in a secure and irrecoverable manner. WebPeak will use approved methods for the disposal of keys, ensuring that they cannot be recovered or used again.

Auditing and Monitoring  

The use and management of encryption keys will be monitored and audited regularly to ensure compliance with this policy. Logs of all operations involving keys, such as generation, distribution, rotation and destruction, will be kept and reviewed to identify any suspicious or unauthorized activity.

Responsibilities  

  • IT team: Responsible for implementing and maintaining encryption key management mechanisms, including key generation, storage and rotation.
  • System Owners: Responsible for ensuring that the systems under their management use appropriate encryption and key management practices.
  • Information Security Management: Responsible for auditing and regularly reviewing key management practices to ensure compliance with policy.

Training and Awareness  

All WebPeak employees involved in encryption key management will receive specific training on the best practices and guidelines set out in this policy. The training will include procedures for generating, storing, distributing, rotating and securely disposing of keys.

Policy Review  

This policy will be reviewed annually or whenever there are significant changes in encryption technology, IT infrastructure or applicable regulations. Any revisions will be approved by senior management and communicated to all relevant employees.

Manufacturers

Zoho Vault‍

Approved by  

Marcos Vinicius Custódio
Legal Responsible

 

webpeak - zoho partner
contato@webpeak.com.br
+55 11 3645-3623
São Paulo, SP
Florianópolis, SC
Talk to sales
Institutional
HomeAbout UsCasesAppsConsulting
Industries
Services
Retail
Finance
Services
NOC
Architecture
Web and Mobile
Digital Experience
AI, BI and RPA
Cloud Computing
Zoho
Partners
Zoho Corporation
Webflow
VTEX
Net2Phone
Manage Engine
MTCaptcha
Google
Cool
Service level agreement
Anti-corruption policy
PLD-FT policy
Privacy Policy
Terms and conditions of use
Security
Information Security Policy
Information Classification Policy
Encryption Key Management Policy
Backup Policy
Access Management Policy
Developed by the Webpeak Team, powered by Webflow
Sitemap
webpeak - zoho partnerwebpeak - zoho partnerwebpeak - zoho partnerwebpeak - zoho partner