Cryptographic Controls
23. Encryption Key Management
For UBC Systems under your control where encryption is required, do you have encryption "Key” management practices as outlined below?
Note, the scope of this question includes all servers, databases and applications hosted outside UBC's and UBC approved datacenter, cloud hosted systems such as servers on Compute Canada Cloud and AWS (IaaS), SaaS based like workday and PaaS based like platform.sh, etc. Respond 'Yes' unless you are aware of situations where encryption is required and key management is not in place.
Why is this Essential?
Encryption key management practice is essential in preventing unauthorized access to sensitive information. It is important to have the password or passphrase not be guessable or susceptible to crack easily. Should keys be compromised, entire systems and data can be compromised. By following the standards defined in the Passphrase and Password Protection standard in setting up a passphrase or a password, we make it hard for a threat actor(s) to access the data.
Further, If an encryption key is lost, corrupted or destroyed the only way to decrypt the data is through a process referred to as Key Recovery. The purpose of securely backing up these keys is to be able to decrypt data that would not otherwise be recoverable. Lack or absence of a key recovery strategy may result in data loss.
Reference Links
Key ManagementPassword Requirement section of U5
Key Escrow Guideline
Instructions
N/A
What is Acceptable?
A key management process is required where encryption keys are used to protect information. This process should cover key distribution, storage and protection, recovery and key change. Knowledge that a process exists and is followed will suffice, however ideally a documented process exists.
24. Cryptographic Controls (Procurement of Certificates)
For the UBC Systems under your control (consider servers, databases and applications) where encrypted sessions (data in transit) are required, do you have a process in place to ensure that X.509 certificates are issued by the University’s Enterprise account, via security@ubc.ca, and are configured and installed in collaboration with UBC Cybersecurity or other X.509 certificates that are in compliance with the Information Security Standard M7 - Cryptographic Controls?
Why is this Essential?
The X.509 certificate provided by cybersecurity team offer an enhanced level of protection for UBC Electronic Information in the event of theft, loss or interception by rendering information unreadable by unauthorized individuals.
Reference Links
Cryptographic RequirementsRequest SSL Certificates
Instructions
N/A
What is Acceptable?
IT support teams being aware of and utilizing the enterprise service constitutes a yes. If other services are used it is expected that the X.509 configuration have been reviewed against ISS M7 - Cryptographic Controls requirements.
Refer: Request SSL Certificates
25. Cryptographic Controls (Certificates)
Can you confirm that, for the UBC Systems under your control (consider servers, databases and applications) where encrypted sessions (for data in transit) are required, all existing X.509 certificates comply with the requirements of Information Security Standard M7 - Cryptographic Controls?
Why is this Essential?
Cryptographic controls provide an enhanced level of protection for UBC Electronic Information in the event of theft, loss or interception by rendering information unreadable by unauthorized individuals. It is also a legal requirement to encrypt sessions over the network, which has been affirmed by the British Columbia Information and Privacy Commissioner in their interpretation of the BC Freedom of Information and Protection of Privacy Act (FIPPA).
Reference Links
X.509 Certificates RequirementsInstructions
N/A
What is Acceptable?
There has been a review of X.509 certificates and we are aware that all under our control comply with the guidance in ISS M7 - Cryptographic Controls requirements.
If there are questions or if you need assistance in understanding the existing X.509 certificate, reach out to cybersecurity for assistance.
Request a consult with Cybersecurity