MedStack Technology Compliance Policies

Cryptography

Use the best reasonably available cipher strength and key length

• AES-256 cipher
• 2048-bit keys

Use current standard open-source and vendor cryptographic methods and implementations

• Follow independent expert guidance from standards organizations and academia.
• Update protocols and configurations when older versions are found to be insecure.

Encrypt all data at rest

• Encrypt data at rest using
  • For devices: the official vendor or standard open-source method (e.g. FileVault, dm-crypt and LUKS)
  • For infrastructure: a method provided by the cloud provider (e.g; full disk encryption, server-side encryption, storage encryption)

Encrypt all data in transit

• Encrypt data during transmission over all networks (public and private)
• Encrypt HTTPS/TLS connections using strong cryptography as defined by PCI DSS

Manage cryptographic keys

• Automate the entire key lifecycle
  • Centrally manage the distribution of keys.
  • Automate generating, storing, archiving, retrieving, distributing, retiring and destroying keys.
• Protect keys
  • against modification or loss
  • for private keys, against unauthorized use and disclosure
• Rotate keys when
  • a suspected breach occurs
  • an entity with access to the key must have its access removed

Use certificates to authenticate keys

• Protect endpoints with certificates.
• Use commonly accepted and independently trusted signing authorities for all public endpoint certificates.

Legal compliance

• Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References