WebPeak Encryption Key Management Policy
Introduction
WebPeak recognizes that encryption is an essential component in protecting the confidentiality, integrity and availability of sensitive information. The effectiveness of encryption depends on the security of the encryption keys used. This policy defines the guidelines and procedures for the secure management of encryption keys, ensuring that they are generated, distributed, stored, rotated and disposed of in a secure manner and in accordance with best practices and international standards, including ISO 27001.
Objective
The aim of this policy is to ensure effective protection of the encryption keys used by WebPeak, minimizing the risk of compromise and ensuring that encrypted information remains secure. The policy aims to provide a framework for managing encryption keys at all stages of their lifecycle.
Scope
This policy applies to all encryption keys used by WebPeak, including, but not limited to:
Key Management Guidelines
Key generation
Encryption keys must be generated using cryptographically secure methods in accordance with internationally recognized standards. WebPeak will use key generation algorithms that guarantee the randomness and robustness required to protect sensitive information.
Key storage
All encryption keys must be stored securely, using hardware security modules (HSMs) or other approved secure storage solutions. Keys should never be stored in plain text or in unsecured locations, such as configuration files or unprotected databases.
Key distribution
The distribution of encryption keys must be carried out in a secure manner, ensuring that keys are only transferred to authorized recipients. Secure methods, such as the use of encrypted channels and multi-factor authentication, must be employed to protect key distribution.
Key rotation
Encryption keys must be rotated periodically to mitigate the risk of compromise. WebPeak will define a key rotation frequency based on the sensitivity of the protected data and best security practices. Compromised or suspected compromised keys must be replaced immediately.
Key backup
Backups of encryption keys must be carried out regularly and stored in secure locations, separate from data backups. These backups must be protected by encryption and accessible only to authorized personnel. It is essential to ensure that key backups are recoverable in the event of loss or failure.
Key disposal
Encryption keys that are no longer required or have been replaced must be destroyed in a secure and irrecoverable manner. WebPeak will use approved methods for the disposal of keys, ensuring that they cannot be recovered or used again.
Auditing and Monitoring
The use and management of encryption keys will be monitored and audited regularly to ensure compliance with this policy. Logs of all operations involving keys, such as generation, distribution, rotation and destruction, will be kept and reviewed to identify any suspicious or unauthorized activity.
Responsibilities
Training and Awareness
All WebPeak employees involved in encryption key management will receive specific training on the best practices and guidelines set out in this policy. The training will include procedures for generating, storing, distributing, rotating and securely disposing of keys.
Policy Review
This policy will be reviewed annually or whenever there are significant changes in encryption technology, IT infrastructure or applicable regulations. Any revisions will be approved by senior management and communicated to all relevant employees.
Manufacturers
Zoho Vault
Approved by
Marcos Vinicius Custódio
Legal Responsible