MedStack Technology Compliance Policies

Cryptography

Use the best reasonably available cipher strength and key length

  • AES-256 cipher
  • 2048-bit keys

Use current standard open-source and vendor cryptographic methods and implementations

  • Follow independent expert guidance from standards organizations and academia.
  • Update protocols and configurations when older versions are found to be insecure.
CodeSectionTitle
OWASPCryptographic Storage Cheat SheetAlgorithms
OWASPCryptographic Storage Cheat SheetCustom Algorithms

Encrypt all data at rest

  • Encrypt data at rest using
    • For devices: the official vendor or standard open-source method (e.g. FileVault, dm-crypt and LUKS)
    • For infrastructure: a method provided by the cloud provider (e.g; full disk encryption, server-side encryption, storage encryption)

Encrypt all data in transit

  • Encrypt data during transmission over all networks (public and private)
  • Encrypt HTTPS/TLS connections using strong cryptography as defined by PCI DSS
CodeSectionTitle
PCI-DSSRequirement 4Encrypt transmission of cardholder data across open, public networks
HIPAA164.312(e)Transmission security

Manage cryptographic keys

  • Automate the entire key lifecycle
    • Centrally manage the distribution of keys.
    • Automate generating, storing, archiving, retrieving, distributing, retiring and destroying keys.
  • Protect keys
    • against modification or loss
    • for private keys, against unauthorized use and disclosure
  • Rotate keys when
    • a suspected breach occurs
    • an entity with access to the key must have its access removed
CodeSectionTitle
ISOA.10.1.2Key management
SOC2CC6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.

Use certificates to authenticate keys

  • Protect endpoints with certificates.
  • Use commonly accepted and independently trusted signing authorities for all public endpoint certificates.

Legal compliance

  • Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.
CodeSectionTitle
ISOA.18.1.5Regulation of cryptographic controls

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.10.1Cryptographic controls
ISOA.10.1.1Policy on the use of cryptographic controls
HIPAA164.312(a)(2)(iv)Encryption and decryption
SOC2CC6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.