Back to Templates

Encryption Policy

SOC 2ISO 27001PCI DSSData SecurityPrivacy

Encryption Policy

Overview & Purpose

The purpose of this policy is to define how [Company Name] protects sensitive data using encryption technologies. Encryption safeguards data from unauthorized access and is a foundational requirement for regulatory compliance, client trust, and internal security practices.

Scope

This policy applies to all employees, contractors, and systems at [Company Name] that store, process, or transmit sensitive data—including customer data, employee records, and internal documents. It covers data at rest and in transit across all company-managed systems and services.

Policy

  • Data in Transit
    • All data transmitted over public or untrusted networks (e.g., the internet) must be encrypted using TLS 1.3 whenever possible. TLS 1.2 is acceptable for compatibility with trusted legacy systems. Older protocols (TLS 1.0/1.1) are prohibited.
    • Emails containing sensitive information must be sent using secure email protocols or encrypted attachments.
    • APIs and internal services must use HTTPS with valid SSL/TLS certificates.
  • Data at Rest
    • All company databases and file storage systems must use encryption at rest. This includes cloud-based storage (e.g., AWS S3, Azure Blob, etc.) and on-premise servers, if applicable.
    • Workstations and laptops must use full disk encryption (e.g., BitLocker for Windows, FileVault for macOS).
  • Key Management
    • Encryption keys must be stored securely using a key management service (KMS), and not embedded in code or stored in plain text.
    • Only authorized personnel may access encryption keys. Access must be logged and monitored.
    • Keys must be rotated regularly based on risk and usage, or immediately upon suspected compromise.
  • Password Storage
    • Passwords must never be stored in plain text.
    • Passwords must be hashed using a strong one-way hashing algorithm with a salt (e.g., bcrypt, scrypt, or Argon2).
  • Third-Party Tools
    • Vendors or tools that handle sensitive data must demonstrate encryption standards aligned with this policy.
    • Contracts with vendors must require encryption of sensitive customer and business data.
  • Mobile & Removable Media
    • If sensitive data must be stored on mobile devices or removable media (e.g., USB drives), it must be encrypted using strong encryption (e.g., AES-256).
  • Employee Responsibility
    • Employees must avoid sending unencrypted sensitive data through unsecured channels (e.g., plain email, personal messaging apps).
    • Any suspected loss or breach of encrypted data must be reported immediately to the Security Officer.

Compliance

Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. [Company Name] reserves the right to audit encryption practices and require remediation for any non-compliant systems or processes.

Review History

Version

Date

Reviewer

Change Description

Back to Templates