Encryption Policy Template
Encryption Policy Template
Download your free copy now
Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data.
Please use these policy templates as a way to get your organization on the right track when it comes to full policy creation and adoption.
If your organization is going to make changes to information resources, it’s helpful to understand what changes are being made and that you’re guiding the decisions these changes.
The purpose of the (Company) Encryption Policy is to establish the rules for acceptable use of encryption technologies relating to (Company) Information Resources.
The (Company) Encryption Policy applies to individuals responsible for the set up or maintenance of (Company) encryption technology.
Table of Contents
- All encryption technologies and techniques used by (Company) must be approved by (Company) IT Management.
- (Company) IT Management is responsible for the distribution and management of all encryption keys, other than those managed by (Company)
- All use of encryption technology should be managed in a manner that permits properly designated (Company) personnel to promptly access all data, including for purposes of investigation and business continuity.
- Only encryption technologies that are approved, managed, and distributed by (Company) IT may be used in connection with (Company) Information Resources, other than those managed by (Company)
- (Company) IT Management will create and publish the (Company) Encryption Standards, which must include, at a minimum:
- The type, strength, and quality of the encryption algorithm required for various levels of protection.
- Key lifecycle management, including generation, storing, archiving, retrieving, distributing, retiring, and destroying keys.
- All (Company) information classified as confidential must be encrypted when:
- Transferred electronically over public networks.
- Stored on mobile storage devices.
- Stored on laptops or other mobile computing devices.
- At rest.
- The use of proprietary encryption algorithms is not permitted, unless approved by (Company) IT Management
- The use of encryption for any data transferred outside of the United States must be formally approved by (Company) IT Management prior to transfer.
See Appendix A: Definitions
- ISO 27002: 10, 14, 18
- NIST CSF: PR.DS
- Information Classification and Management Policy
- Encryption Standard
Waivers from certain policy provisions may be sought following the (Company) Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.