Data Encryption Policy

1.0 Overview

This policy addresses encryption policy and controls for confidential other sensitive data that is at rest (including portable devices and removable media), data in motion (transmission security), and encryption key standards and management.

2.0 Purpose

The purpose of this policy is to provide guidance to Waybetter Marketing, Inc (Waybetter) employees and affiliates on the use of encryption to protect information resources that contain, process, or transmit confidential and sensitive information. Additionally, this policy provides direction to ensure that a foundation is available for meeting the information security standards established by Waybetter clients.

3.0 Scope

This policy applies to all Waybetter employees and affiliates, including vendors, contractors, and clients. This policy also applies to all equipment that is owned or leased by Waybetter, as well as all equipment that communicate electronically with Waybetter equipment.

4.0 Policy

4.1 Encryption Strength

• All encryption mechanisms implemented to comply with this policy must support a minimum of, but not limited to the industry standard, AES 128-bit encryption.

• The use of proprietary encryption algorithms are not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Waybetter's management team.

4.2 Data at Rest

• Confidential sensitive data at rest on computer systems owned by and located within Waybetter controlled spaces and networks should be protected by at least one of the following:

  • Encryption

  • Firewalls with strict access controls that authenticate the identity of individuals accessing the data

  • Other compensating control such as complex password

• Password protection should be used in combination with all controls including encryption.

Note: hard drives that are not fully encrypted, e.g., have encrypted partitions, virtual disks, or are unencrypted, but connect to encrypted USB devices may be vulnerable to information spillage from the encrypted region into the unencrypted region. The hard drive’s unencrypted auto-recovery folder may retain files that have been saved to the encrypted portion of the disk or USB. Full disk encryption avoids this problem.

4.3 Portable Devices

Portable devices represent a specific category of devices that contain data-at-rest. Many incidents involving unauthorized exposure of confidential data are the result of stolen or lost Portable Computing Devices. The best way to prevent these exposures is to avoid storing confidential data on these devices. As a general practice, confidential or sensitive data should not to be copied to or stored on a portable computing device. However, in situations that require confidential or sensitive data to be stored on such devices, encryption and password protection must be used to reduce the risk of unauthorized disclosure in the event that the device becomes lost or stolen.

Confidential or sensitive information stored on portable devices including laptops, personal digital assistants (PDAs) must be encrypted using products and/or methods in accordance with the Waybetter Data Encryption Policy.

• Portable devices including laptops, personal digital assistants (PDAs) should not be used for the long-term storage of any confidential or sensitive information.

• Portable devices including laptops, personal digital assistants (PDAs) that store or transmit confidential or sensitive information must have the proper protection mechanisms installed, including antivirus and/or firewall software, with unneeded services and ports turned off and subject to needed applications being properly configured.

• Removable media including CD-ROMs, floppy disks, backup tapes, external hard drives and USB memory drives that contain confidential or sensitive information must be:

  • encrypted and stored in a secure, locked location.

  • transported using in a secure manner

  • in the possession of the authorized user at all times (e.g., must not be checked as luggage while in transit).

• Data owners and users of portable computing devices and non-Waybetter owned computing devices containing confidential and sensitive data must acknowledge how they will ensure that data are encrypted and how encrypted data will be accessible by the owner in the event that an encryption key becomes lost or forgotten. Methods to meet this requirement include, but not limited to, the following.

  • Maintaining an accessible copy of the data on a server managed by Waybetter.

  • Use of whole-disk encryption technologies that provide an authorized systems administrator access to the data in the event of a forgotten key.

  • Escrowing the encryption key with a trusted party designated by the data owner and Waybetter management

4.4 Transmission Security

Users will follow the Waybetter Data Transfer Policy when transmitting data and must take particular care when transmitting or re-transmitting Confidential or sensitive data (e.g., citizen personal identification information) received from business partners, affiliates or clients.

• Confidential or sensitive information transmitted as an email message must be encrypted.

• Any confidential or sensitive information transmitted through a public network (e.g., Internet) to and from vendors, customers, or entities doing business with Waybetter must be encrypted or be transmitted through a tunnel that is encrypted with virtual private networks (VPN) or secure socket layers (SSL).

• Transmitting unencrypted confidential or sensitive information through the use of web email programs is prohibited.

• Transmission of data files through any Instant Messaging (IM) or online peer-to-peer (P2P) file sharing programs is prohibited.

• Wireless (Wi-Fi) transmissions that are used to access Waybetter owned portable computing devices or internal networks must be encrypted using the IEEE 802.11i (WPA2) or better.

• Encryption is required when users access confidential or sensitive data remotely from a shared network.

• Waybetter permits the secure encrypted transfer of documents and data over the Internet using file transfer programs such as “secured FTP” (FTP over SSH). Only authorized Waybetter users can initiate secure FTP transactions and will use the Waybetter Data Transfer Policy

4.5 Encryption Key Management

Effective key management is the crucial element for ensuring the security of any encryption system. Key management procedures must ensure that authorized users can access and decrypt all encrypted data using controls that meet operational needs and comply with data retention requirements. Waybetters key management processes and systems are characterized by the following security precautions:

• Waybetter uses procedural controls to enforce security and availability of encryption keys so that they are protected when in storage and can be made available when needed. These controls apply to persons involved in encryption key management or who have access to security-relevant encryption key facilities and processes, including IT personnel and/or contractor personnel. Waybetter will verify backup storage for Key passwords, files, and related backup configuration data to avoid single point of failure and ensure access to encrypted data.

• Complete regular training on key management requirements and procedures

• Encryption Keys shall be stored on primary and backup media protected with password and labeled appropriately. The on premise copy shall be stored under lock and key in a fireproof cabinet under the jurisdiction of company management.

• Sanctions against personnel for unauthorized actions, unauthorized use of authority, and unauthorized use of Waybetter systems, resulting in written reprimand or dismissal.

• Written acknowledgement of receipt of this policy from each individual involved in key management.

• Private keys must be kept confidential

• Keys must be randomly chosen from the entire key space, using hardware-based randomization.

• Key-encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key-encrypting key, e.g., a key-encrypting-key is used to encrypt other keys, securing them from disclosure.

• Keys that are transmitted are sent securely to well-authenticated parties.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.