psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/01-policies/cryptography-and-key-management-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.3 KiB
Raw Permalink Blame History

Title: Cryptography and Key Management Policy Document ID: [POL-CRYPTO-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Cryptography and Key Management Policy

Purpose

This policy defines BlackDice's expectations for the use of cryptographic controls and the secure management of keys, secrets, and certificates.

Scope

This policy applies to cryptographic protections used for data at rest, data in transit, identity material, secrets, certificates, and platform integrations within the ISMS scope.

Objectives

  • protect sensitive information using appropriate cryptographic controls
  • reduce the risk of compromise through weak or poorly managed keys and secrets
  • support secure cloud-native and software delivery operations

Principles / Policy Statements

Cryptographic controls must be selected based on business need, risk, and applicable legal or contractual requirements.

Sensitive information in transit must be protected using approved secure protocols.

Secrets, keys, tokens, and certificates must be generated, stored, rotated, distributed, and revoked using controlled processes.

Hard-coded secrets in source code, CI/CD pipelines, container images, or infrastructure definitions must be prohibited unless explicitly justified and approved.

Access to key and secret management functions must be limited to authorised personnel and systems.

Roles and Responsibilities

  • [Role] must define approved cryptographic requirements.
  • System owners must ensure their services use appropriate protections.
  • Engineering and operations teams must manage secrets and certificates through approved methods.

Compliance / Exceptions

Any deviation from approved cryptographic or key management practice must be documented and approved as an exception.

Monitoring and Review

This policy should be reviewed alongside secrets management, certificate issues, incident findings, and control assurance activity.

Related Documents

  • Information Security Policy
  • Secrets Management Standard
  • Secure Configuration Standard
  • Secure Development Policy

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink