DATA ENCRYPTION POLICY

V 2.0

Copyright © 2019 All Rights Reserved by Shufti Pro Limited

 Data Encryption Policy for Shufti Pro Limited

Document Control

Prepared By Steve Atkin

Approved By Shahid Hanif

Reference Documents Shufti Pro Data Encryption Policy

Version Control

Version Number Date Issued Author Update Information

V1.0 August 7, 2018 Steve Atkin First Published Version

V2.0 July 18, 2019 Steve Atkin Revised Version

Dissemination Level

PU Public ✔

PP Restricted to other program participants.

Restricted to a group specified by the company

RE
participants.

CON Confidential, only for members of the company.

Copyright © 2019 All Rights Reserved by Shufti Pro Limited

1. Purpose

The purpose of this policy is to outline Shufti Pro’s standards for use of encryption technology
in order to properly secure and manage appropriately its data assets. There are additional Shufti
Pro security policies that reference the types of data that require encryption. This policy does
not cover what types of data must be encrypted, but rather how encryption is to be implemented
and controlled. These data encryption standards are to be read in conjunction with the Shufti
Pro Data Security and Protection Policy and Shufti Pro IT Policy.

2. Scope

This policy applies to all Shufti Pro staff that create, deploy, transmit, or support application
and system software containing Personal Data (as defined by the GDPR) or Personally
Identifiable Information (PII). It addresses encryption policy and controls for Personal Data or
PII that is at rest (including portable devices and removable media), data in motion
(transmission security), and encryption key standards and management.

3. Responsibility
The responsibility to ensure compliance with this policy shall rest with Shufti Pro’s Chief
Technical Officer (CTO). The CTO or their designee shall ensure:

i. Policies, procedures, scenarios, and processes shall identify Personal Data or PII that
must be encrypted to protect against persons or programs that have not been granted
access.
ii. Shufti Pro implements appropriate mechanisms to encrypt and decrypt Personal Data
or PII whenever deemed appropriate. Internal procedures shall specify how Shufti Pro
transmits sensitive information as well as how often the information is transmitted.
iii. When encryption is needed based on data classification to protect Personal Data or PII
during transmission. Procedures shall specify the methods of encryption used to protect
the transmission of Personal Data or PII.
iv. Logical user access is managed separately and independently of native operating
system authentication and access control mechanisms (for example, by not using local
user account databases or general network login credentials) when disk encryption is
used rather than file or column level database encryption.

4. Policy

A. ENCRYPTION KEY LENGTH

Shufti Pro uses software encryption technology to protect Personal Data or PII. To
provide the highest-level security while balancing throughput and response times,
encryption key lengths should use current industry standard encryption algorithms for
Personal Data or PII.

B. DATA ENCRYPTION AT REST

i. Hard drives that are not fully encrypted (e.g., disks that one or more un-encrypted
partitions, virtual disks) may be vulnerable to security breach from the encrypted

Copyright © 2019 All Rights Reserved by Shufti Pro Limited

 region to the unencrypted region. Full disk encryption avoids this problem and shall
be the method of choice for user devices containing Personal Data or PII. Use of
USB sticks shall be strictly disabled for all devices that hold or process Personal
Data or PII data.
ii. Only authorized request (through Basic Access Authentication) shall be allowed
access to Personal Data or PII data.
iii. Personal Data or PII at rest on computer systems owned by and located within Shufti
Pro controlled spaces, devices, and networks should be protected by one or more of
the following encryption standards:

a. Advanced Encryption Standard (AES)

(Minimum encryption key length of 256 bits)
b. Use of Virtual Private Networks (VPN’s) and Firewalls with strict
access controls that authenticate the identity of those individuals
accessing the Personal Data or PII
c. File systems, disks, and tape drives in servers and Storage Area Network
(SAN) environments are encrypted using industry standard encryption
technology
d. Supplemental compensating or complimentary security controls
including complex passwords, and physical isolation/access to the data

C. DATA ENCRYPTION IN TRANSIT

i. Formal transfer policies, protocols, procedures, and controls are implemented to

protect the transfer of information through the use of all types of communication and
transmission facilities.
ii. Strong cryptography and security protocols (e.g. TLS, SSL, RSA, etc.) are used to
safeguard Personal Data or PII during transmission over open public networks. Such
controls include:
a. Transmitting unencrypted Personal Data through the use of web email
programs, (Yahoo, AOL, Gmail, etc.) shall not be allowed.
b. All confidential and restricted information transmitted around existing
wireless networks must be encrypted using WEP (Wired Equivalent
Privacy) or better. All new wireless networks installations must be
encrypted using WPA (Wi-Fi Protected Access) or better.
c. API requests to Shufti Pro servers shall be authenticated through the
most advanced HTTP authentication mechanisms including Basic
Access Authentication. Signature validation shall be performed for all
request responses.

D. ENCRYPTION KEY MANAGEMENT

i. Key management is the most complex part of any security system dealing with
encryption of data. Key management procedures must ensure that authorized users
can access and decrypt all encrypted Personal Data or PII using controls that meet
operational needs. Shufti Pro key management systems are characterized by
following security precautions and attributes:
a. Key management shall be fully automated. The Shufti Pro IT Manager
should not have the opportunity to expose a key or influence the key
creation.

Copyright © 2019 All Rights Reserved by Shufti Pro Limited

 b. Centralised repositories for encryption keys shall be maintained. Only
authorized nodes can access the encryption repositories.
c. Backup storage shall be maintained for key passwords, files, and
Personal Data or PII to avoid single point of failure and ensure access to
encrypted Personal Data or PII. Retirement or replacement (for example,
archiving, destruction, and/or revocation) of keys as deemed necessary
when the integrity of the key has been weakened or keys are suspected
of being compromised.
d. Private keys shall be kept confidential and encrypted in transit.
Decryption keys shall not be associated with user accounts.

5. Disciplinary Actions

Violation of this policy, [e.g., wilful or negligent exposure of Personal Data,] may result in
disciplinary action which may include termination of employment. A violation of this policy
by a temporary worker, contractor or vendor may result in the termination of their contract
or assignment with Shufti Pro. Additionally, employees, contractors and agents who violate
this policy may be subject to civil and criminal prosecution under the law.

Copyright © 2019 All Rights Reserved by Shufti Pro Limited