The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.
The name ‘Door’ in this policy relates to Door Ventures Inc and Door Ventures Ltd as opposed to the Door platform.
This policy applies to all Door employees and affiliates.
Proven, standard algorithms such as DES, Blowfish, RSA, RC5 and IDEA should be used as the basis for encryption technologies. These algorithms represent the actual cipher used for an approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a combination of IDEA and RSA or Diffie-Hillman, while Secure Socket Layer (SSL) uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits. Asymmetric crypto- system keys must be of a length that yields equivalent strength. Door’s key length requirements will be reviewed annually and upgraded as technology allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless reviewed by qualified experts outside of the vendor in question and approved by Door’s DevOps Engineer.
All sensitive data stored within the organization must be encrypted using the Advanced Encryption Standard (AES) with a minimum key length of 256 bits.
Sensitive data transmitted within or outside the organization must be encrypted using Transport Layer Security (TLS) version 1.3 or later, using only approved cipher suites as defined by NIST Special Publication (SP) 800-52 Revision 2 or its successor.
Key management must adhere to NIST SP 800-57 Part 1, which provides guidelines on generating, distributing, storing, and retiring cryptographic keys. All cryptographic keys must be stored securely and access to them must be restricted to authorized personnel only.
Only NIST-approved cryptographic algorithms and modules should be used within the organization. Cryptographic modules must meet the Federal Information Processing Standards (FIPS) 140-3 security requirements or its successor.
All portable devices (e.g., laptops, smartphones, tablets, and removable storage) containing sensitive information must be encrypted using AES-256 or another NIST-approved encryption algorithm.
The ISO is responsible for overseeing the implementation, monitoring, and enforcement of this Encryption Policy, as well as ensuring that encryption technologies are up-to-date and in compliance with NIST standards.
System Administrators are responsible for implementing and maintaining encryption technologies and practices, managing cryptographic keys, and ensuring that all systems storing or transmitting sensitive data are compliant with this policy.
All employees and contractors must comply with this Encryption Policy when handling sensitive information and must report any potential or actual security incidents to the ISO.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
| Term | Definition |
|---|---|
| Proprietary Encryption | An algorithm that has not been made public and/or has not withstood public scrutiny. The developer of the algorithm could be a vendor, an individual, or the government. |
| Symmetric Cryptosystem | A method of encryption in which the same key is used for both encryption and decryption of the data. |
| Asymmetric Cryptosystem | A method of encryption in which two different keys are used: one for encrypting and one for decrypting the data (e.g., public-key encryption). |
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Further information and advice on this policy can be obtained from Door Team, policies@doorfunds.com.