UnixTime

Research Note

Cryptographic Controls Policy

Use this policy to define approved cryptographic uses, algorithms, protocols, key management responsibilities, legal checks, and exceptions.

On this page

When to use this

Use this policy to define approved cryptographic uses, algorithms, protocols, key management responsibilities, legal checks, and exceptions.

Policy areas

Area Rule/requirement Owner Evidence
Approved algorithms/protocols TBD TBD TBD
Prohibited algorithms/protocols TBD TBD TBD
Key generation TBD TBD TBD
Key storage TBD TBD TBD
Key rotation/expiry TBD TBD TBD
Certificate management TBD TBD TBD
Key escrow/recovery TBD TBD TBD
Legal/regulatory restrictions TBD TBD TBD

Minimum rules

  • Cryptographic use must trace to risk or legal/business requirement.
  • Approved industry-standard algorithms must be used.
  • Secret/private keys must be protected from disclosure.
  • Public keys and certificates must be protected from unauthorized replacement.
  • Key lifecycle controls must be defined before production use.
  • Exceptions must be risk-assessed and approved.