OFFICIAL Queensland Government Enterprise Architecture Data encryption standard FINAL June 2019 V1.0.2 OFFICIAL - Public QGEA OFFICIAL Data encryption standard Document details Security classification OFFICIAL - Public Date of review of June 2019 security classification Authority Queensland Government Customer and Digital Group Author Queensland Government Customer and Digital Office Documentation status Working Consultation Final version draft release Contact for enquiries and proposed changes All enquiries regarding this document should be directed in the first instance to: Queensland Government Customer and Digital Group Cyber Security Unit [email protected] Acknowledgements This version of the Data encryption standard was developed and updated by Queensland Government Chief Information Office. Feedback was also received from a number of agencies, which was greatly appreciated. Copyright Data encryption standard Copyright © The State of Queensland (Department of Housing and Public Works) 2019 Licence This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the scope of this licence, contact [email protected]. To attribute this material, cite the Queensland Government Customer and Digital Group, Department of Housing and Public Works. The licence does not apply to any branding or images. Information security This document has been security classified using the Queensland Government Information Security Classification Framework (QGISCF) as OFFICIAL- Public and will be managed according to the requirements of the QGISCF. Final | v 1.0.2| June 2019 OFFICIAL Page 2 of 15 QGEA OFFICIAL Data encryption standard Contents 1 Introduction .......................................................................................................................... 4 1.1 Purpose ........................................................................................................................ 4 1.2 Requirements ............................................................................................................... 4 1.3 Scope ........................................................................................................................... 4 2 Background .......................................................................................................................... 5 3 Implementation .................................................................................................................... 5 3.1 Overview of use ............................................................................................................ 5 4 Control sets .......................................................................................................................... 7 4.1 Cryptographic algorithms .............................................................................................. 7 4.2 Cryptographic protocols ................................................................................................ 9 4.3 Encryption at rest ........................................................................................................ 10 4.4 Key management ........................................................................................................ 11 5 References ......................................................................................................................... 12 Appendix A Required controls ................................................................................................ 13 Appendix B Control classification mapping ........................................................................... 15 Final | v 1.0.2| June 2019 OFFICIAL Page 3 of 15 QGEA OFFICIAL Data encryption standard 1 Introduction 1.1 Purpose The Queensland Government uses a range of information and communications technology systems to process, store and transmit information. The Queensland Government is responsible for ensuring it applies adequate security for this information. The Data encryption standard outlines the minimum requirements for encryption and management of encrypted, Queensland Government owned data (in use, in transit, and at rest). The Data encryption standard is enforced by the Information security policy requirement 3: Agencies must meet minimum security requirements, with all information transmitted over data communication networks secured in line with the Data encryption standard. The Data encryption standard corresponds to the ISO/IEC 27001:2013 control domain of cryptography (A.10). Conformance with ISO27001 requires consideration of the development and implementation of policies on cryptographic controls and a policy on cryptographic key management where appropriate. 1.2 Requirements Agencies must: • Implement policy on the use of encryption, cryptographic controls, and key management. • Implement controls at least equivalent to those outlined in the appendix A.1 “Required Controls” of the Data encryption standard. 1.3 Scope This standard provides a direction and processes for choosing and implementing encryption for data-in-transit, data-in-use, and data-at-rest. The standard also sets the minimum required standard for encryption of Queensland Government data. 1.3.1 Applicability The Data encryption standard is mandated through the Information security policy (IS18:2018). For further information on applicability see the Information security policy (IS18:2018). 1.3.2 National security By design, this standard does not provide specific guidance for handling national security information, classified material or systems that are assessed to have confidentiality requirements above PROTECTED. Where an agency has cause to handle such material/systems, it should refer to the Australian Government Protective Security Policy Framework (PSPF) and the Security and Counter-Terrorism Group in Queensland Police Service. Telephone 07 3364 4549 or email [email protected]. For more details on information security classification, please refer to the Queensland Government Information Security Classification Framework (QGISCF). 1.3.3 Audience The Data encryption standard is intended for use by; Final | v 1.0.2| June 2019 OFFICIAL Page 4 of 15 QGEA OFFICIAL Data encryption standard • Network and security architects, project managers, information security professionals, and those responsible for Queensland Government data and information. • Third-Party service providers developing or providing systems and services that will be storing and managing data/information on behalf of the Queensland Government. Readers should be familiar with the concepts and workings of the QGISCF. 2 Background The Data encryption standard supersedes the Network Transmission Security Assurance Framework (NTSAF). References to the NTSAF in other QGEA documents should be taken to refer to the Data encryption standard. Data can exist in various states or locations throughout its lifecycle. The following terms and definitions have been used within this document to describe the state or location of data: • Data-at-rest: the stored location of data, be it on a storage device, server or other storage system. • Data-in-transit: data that is currently being transmitted between locations. • Data-in-use: data which is in use on a client device or session. The Data encryption standard has been designed and written to replace the NTSAF. This document has changed from focusing primarily on the security of network transmission. It now covers the security of data and information in all its forms for the following reasons: • to remove the minimum-security assurance levels applied to networking technologies encouraging agencies to independently risk assess technologies • to focus the document to the topics of encryption, cryptography, and key management, removing extraneous topics • to simplify implementation and understanding of the standard • no other industry standards or frameworks require controls to the same detail as the NTSAF on the topic of network transmission security • to provide clearer mapping to the ISO/IEC 27001:2013 control domains to assist with implementation of agency ISMS’s • to align with the Australian Government’s minimum encryption control sets and support information sharing • to expand the scope of the standard to incorporate data in its various states. 3 Implementation 3.1 Overview of use This standard is intended to be used to: 1. assist agencies in developing and implementing policies on encryption, cryptographic controls, and key management 2. determine appropriate encryption requirements considering the security classification of information and data 3. ensure that the risk of data security being breached is effectively reduced through the appropriate implementation of cryptographic controls 4. identifying acceptable configurations and supplementary controls which must or should be applied to cryptographic algorithms and protocols when being implemented. Final | v 1.0.2| June 2019 OFFICIAL Page 5 of 15 QGEA OFFICIAL Data encryption standard Each of the above (1, 2, and 3) are explained in more detail in the following sections. Item 4 is further discussed in the control set sections “Cryptographic algorithms” and “Cryptographic protocols”. 3.1.1 Assist agencies in developing and implementing policies on encryption, cryptographic controls, and key management In order to conform with ISO27001 requirements, agencies must consider