A.8.24 Use of cryptography

A.8.24 Use of cryptography

Version: 3.0

Valid until: 2025-03-26

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson
Sarang Kulkarni

Initiation document

2022-07-07

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.10 Cryptography from B14 IT Management.

2022-10-19

2.0Edward RobinsonAdditions/changes as part of annual review.

Added the article for assessing the Azure Security Score.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated the link for the Record of Processing Activities under 10.1.1 and Administrations.
2024-03-26

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the cryptography policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information (A.10.1).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.10.1 Cryptographic controls

A.10.1.1 Policy on the use of cryptographic controls


“A policy on the use of cryptographic controls for protection of information shall be developed and implemented.”


For all Software-as-a-Service (SaaS) applications that are used by anDREa, cryptography such as encryption and certificates are outsourced and are part of the supplier agreement. 

Data on myDRE is encrypted in rest and in transit. The certificate of mydre.org is auto-renewed and monitoring is in place to verify this in a timely manner. By default, a Virtual Machine's Operating System (OS) and data disks are encrypted-at-rest using platform-managed keys (PMKs). Local Support Team members can verify the encryption of VMs and data by assessing the recommendations of the Azure Security Score.


An overview of encryption and certificates per asset used by anDREa can be found in the Record of Processing Activities. The status of the certificates of the SaaS applications that are used by anDREa are periodically monitored and the results are registered in a ticket.


A.10.1.2 Key management


“A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.”


As described in A.10.1.1, cryptography for the SaaS applications used by anDREa is outsourced and part of the supplier agreement, and so is the key management. Data in the myDRE environment, which is built on Microsoft Azure, is encrypted at rest and in transit. The encryption keys that are used are called PMKs. PMKs are encryption keys that are generated, stored and managed entirely by Azure. Customers do not interact with PMKs which are stored in Azure Key Vaults. In addition, certificate management is also done through Azure Key Vaults.

Administrations


    • Related Articles

    • AI/LLM Use Policy

      Version: 1.0 Valid until: 2025-03-26 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2024-03-26 Purpose & Background anDREa B.V. (hereafter called anDREa) ...
    • myDRE Workspaces DO NOT use Microsoft Teams, OneDrive, or Sharepoint to store or process your data

      On February 15th 2022, the Dutch Privacy Body (Authoriteit Persoonsgegevens) issued a statement that often the Cloud Services do not comply with the privacy laws and regulations. (source). The statement of the Dutch Privacy Body is based on a report ...
    • A.14 System acquisition, development and maintenance

      Version: 3.0 Valid until: 2024-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson Johanna ...
    • A.18 Compliance

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Theo Koster Edward Robinson Initiation document. 2022-05-20 1.1 Edward Robinson Additions/changes as part of ...
    • A.13 Communications security

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Initiation document 2022-07-07 1.1 Edward Robinson Additions/changes as part of ...