MFA on VPN

Multi-factor Authentication Required for myVPN Starting July 22, 2024 - Learn More

CSP - IT Rep - Cryptographic Controls

 
Cryptographic Controls  
 

23. Encryption Key Management

For UBC Systems under your control where encryption is required, do you have encryption "Key” management practices as outlined below?

  • whenever a password or passphrase is used as, or to generate, a Key, it follows the standards defined in the Passphrase and Password Protection standard; and
  • have a key recovery strategy in place that involves an approved escrow or other viable alternative (refer to Key Escrow Guideline).
Note, the scope of this question includes all servers, databases and applications hosted outside UBC's and UBC approved datacenter, cloud hosted systems such as servers on Compute Canada Cloud and AWS (IaaS), SaaS based like workday and PaaS based like platform.sh, etc. Respond 'Yes' unless you are aware of situations where encryption is required and key management is not in place.
Why is this Essential?

Encryption key management practice is essential in preventing unauthorized access to sensitive information. It is important to have the password or passphrase not be guessable or susceptible to crack easily. Should keys be compromised, entire systems and data can be compromised. By following the standards defined in the Passphrase and Password Protection standard in setting up a passphrase or a password, we make it hard for a threat actor(s) to access the data.

Further, If an encryption key is lost, corrupted or destroyed the only way to decrypt the data is through a process referred to as Key Recovery. The purpose of securely backing up these keys is to be able to decrypt data that would not otherwise be recoverable. Lack or absence of a key recovery strategy may result in data loss.


Reference Links​
Key Management
Password Requirement section of U5
Key Escrow Guideline

Instructions​

N/A


What is Acceptable?

A key management process is required where encryption keys are used to protect information. This process should cover key distribution, storage and protection, recovery and key change. Knowledge that a process exists and is followed will suffice, however ideally a documented process exists.




 

24. Cryptographic Controls (Procurement of Certificates)

For the UBC Systems under your control (consider servers, databases and applications) where encrypted sessions (data in transit) are required, do you have a process in place to ensure that X.509 certificates are issued by the University’s Enterprise account, via security@ubc.ca, and are configured and installed in collaboration with UBC Cybersecurity or other X.509 certificates that are in compliance with the Information Security Standard M7 - Cryptographic Controls?


Why is this Essential?

The X.509 certificate provided by cybersecurity team offer an enhanced level of protection for UBC Electronic Information in the event of theft, loss or interception by rendering information unreadable by unauthorized individuals.


Reference Links​
Cryptographic Requirements
Request SSL Certificates

Instructions​

N/A


What is Acceptable?

IT support teams being aware of and utilizing the enterprise service constitutes a yes. If other services are used it is expected that the X.509 configuration have been reviewed against ISS M7 - Cryptographic Controls requirements.
Refer: Request SSL Certificates

 


 

25. Cryptographic Controls (Certificates)

Can you confirm that, for the UBC Systems under your control (consider servers, databases and applications) where encrypted sessions (for data in transit) are required, all existing X.509 certificates comply with the requirements of Information Security Standard M7 - Cryptographic Controls?


Why is this Essential?

Cryptographic controls provide an enhanced level of protection for UBC Electronic Information in the event of theft, loss or interception by rendering information unreadable by unauthorized individuals. It is also a legal requirement to encrypt sessions over the network, which has been affirmed by the British Columbia Information and Privacy Commissioner in their interpretation of the BC Freedom of Information and Protection of Privacy Act (FIPPA).


Reference Links​
X.509 Certificates Requirements

Instructions​

N/A


What is Acceptable?

There has been a review of X.509 certificates and we are aware that all under our control comply with the guidance in ISS M7 - Cryptographic Controls requirements.
If there are questions or if you need assistance in understanding the existing X.509 certificate, reach out to cybersecurity for assistance.
Request a consult with Cybersecurity

 


UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning