Documente Academic
Documente Profesional
Documente Cultură
V 2.0
Document Control
Version Control
Dissemination Level
PU Public ✔
The purpose of this policy is to outline Shufti Pro’s standards for use of encryption technology
in order to properly secure and manage appropriately its data assets. There are additional Shufti
Pro security policies that reference the types of data that require encryption. This policy does
not cover what types of data must be encrypted, but rather how encryption is to be implemented
and controlled. These data encryption standards are to be read in conjunction with the Shufti
Pro Data Security and Protection Policy and Shufti Pro IT Policy.
2. Scope
This policy applies to all Shufti Pro staff that create, deploy, transmit, or support application
and system software containing Personal Data (as defined by the GDPR) or Personally
Identifiable Information (PII). It addresses encryption policy and controls for Personal Data or
PII that is at rest (including portable devices and removable media), data in motion
(transmission security), and encryption key standards and management.
3. Responsibility
The responsibility to ensure compliance with this policy shall rest with Shufti Pro’s Chief
Technical Officer (CTO). The CTO or their designee shall ensure:
i. Policies, procedures, scenarios, and processes shall identify Personal Data or PII that
must be encrypted to protect against persons or programs that have not been granted
access.
ii. Shufti Pro implements appropriate mechanisms to encrypt and decrypt Personal Data
or PII whenever deemed appropriate. Internal procedures shall specify how Shufti Pro
transmits sensitive information as well as how often the information is transmitted.
iii. When encryption is needed based on data classification to protect Personal Data or PII
during transmission. Procedures shall specify the methods of encryption used to protect
the transmission of Personal Data or PII.
iv. Logical user access is managed separately and independently of native operating
system authentication and access control mechanisms (for example, by not using local
user account databases or general network login credentials) when disk encryption is
used rather than file or column level database encryption.
4. Policy
Shufti Pro uses software encryption technology to protect Personal Data or PII. To
provide the highest-level security while balancing throughput and response times,
encryption key lengths should use current industry standard encryption algorithms for
Personal Data or PII.
i. Hard drives that are not fully encrypted (e.g., disks that one or more un-encrypted
partitions, virtual disks) may be vulnerable to security breach from the encrypted
i. Key management is the most complex part of any security system dealing with
encryption of data. Key management procedures must ensure that authorized users
can access and decrypt all encrypted Personal Data or PII using controls that meet
operational needs. Shufti Pro key management systems are characterized by
following security precautions and attributes:
a. Key management shall be fully automated. The Shufti Pro IT Manager
should not have the opportunity to expose a key or influence the key
creation.
5. Disciplinary Actions
Violation of this policy, [e.g., wilful or negligent exposure of Personal Data,] may result in
disciplinary action which may include termination of employment. A violation of this policy
by a temporary worker, contractor or vendor may result in the termination of their contract
or assignment with Shufti Pro. Additionally, employees, contractors and agents who violate
this policy may be subject to civil and criminal prosecution under the law.