Data Encryption Policy

From Wikimedia UK
Jump to: navigation, search
Comment This policy was adopted by the Board on 9 February 2013. It is part of a series of IT Security Policy.

Introduction[edit | edit source]

This policy provides guidance on the use of encryption. This policy lays down the best practices for use of cryptographic controls for protection of confidentiality, integrity, authentication of the WMUK informational assets. This policy also ensures that the use of encryption technologies conforms to British as well as other applicable laws.

Key Principles[edit | edit source]

  • This policy applies to all employees and volunteers working on behalf of WMUK, and to all electronic transactions wherein one or more parties are one or more of the above-mentioned and data containing personally identifiable information is being shared.
  • This policy lays out the basic standards to ensure that data which contains personally identifiable information is shared with appropriate security provisions in place.
  • If staff or volunteers are unsure about how to meet these standards is not an acceptable to use this as a basis for failing to meet them, as this is incumbent on anyone who upholds Wikimedia UK's duty of care to individuals whose information it holds
  • This policy seeks to set out the basis minimum standards which staff and volunteers should adhere to. If staff or volunteers are unsure about how to meet these standards they are entitled to in-house training as requested.

Recommended encryption[edit | edit source]

  • For senstive data the following encryption programs may be used:
  • WinZip
  • WinRar
  • Recommended settings for the key size is 128 bits for symmetric keys and 4096 bits for asymmetric keys. Encryption passwords should be strong (i.e. over 8 characters in length, not a single dictionary word, etc.)

Digital signatures[edit | edit source]

  • Use of digital signatures (PGP) on all emails is suggested.
  • Each user shall be personally responsible for the secure use and protection of his PGP private key. Repudiation of any signed records shall be not acceptable except in special circumstances.
  • Any user who would like training on how to set these systems up and use them correctly should contact the Office and Development Manager.

Best practice[edit | edit source]

  • Information assets labeled as "Highly Confidential" are to be maintained in an encrypted manner, with the use of the Asset owner's public key.
  • Exchange of passwords, credit card numbers or any such sensitive information shall be done only using high grade encryption software, such as TruCrypt.
  • Sensitive information stored on removable media (e.g. DVD's or USB devices) should be adequately encrypted, using strong passwords - check using this online tool

Enforcement[edit | edit source]

  • Any person bound by this policy who intentionally and/or knowingly violates this policy shall be subject to disciplinary action. Such action shall not preclude adequate civil and / or criminal remedy as per the applicable law.