IOMG Technical Standards: Encryption Standards
Encryption in Transit
Encrypted communication transiting owned or managed infrastructure MUST be designed to support content inspection capabilities as part of the security boundary inspection policy.
Encrypted communications channels MUST be protected using one of the following methods:
- At the application layer, using Transport Layer Security (TLS)or Secure Sockets Layer SSL;
- At the network layer, using Internet Protocol Security (IPSec);
- Secure Shell (SSH) [for remote administration of systems
- A bespoke solution assured by the Department's risk management process and approved by DAB
Encryption at Rest
All user-writable partitions on portable devices (laptops, phones, etc.) and portable storage media MUST be encrypted at the media-level (i.e. Full Disk Encryption (FDE)).
- Information held encrypted at rest MUST also be integrity protected.
- In a scheme that uses a password as the authentication mechanism, this equates to a password that is of sufficient length and complexity to match t requirements in the password policy defined for the system.
- The encryption software must restrict the number of authentication attempts within any given time interval.
