Encryption & Key Management Policy

This policy provides guidance to limit encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this policy document provides WeSalute encryption standards and best practices to ensure that WeSalute consistently follows industry standards for Encryption and Key Management. This policy and standard applies to all WeSalute Team Members, contractors, and third party vendors when sensitive data, such as customer data, WeSalute secrets and PII, are in scope.

Data Encryption Policy

All sensitive data in transit and at rest must be encrypted using strong, industry-recognized algorithms.

• WeSalute maintains approved encryption algorithm standards. These internal standards are reviewed and subject to change when significant changes to encryption standards within the security industry change.

• WeSalute will not engage in "roll-your-own" encryption, algorithms, or practices and will not use "security through obscurity" within production infrastructure or applications.

• All WeSalute-owned, employee-utilized computers are to have full disk encryption enabled at all times, as these devices are expected to interact with WeSalute resources, infrastructure and/or client data while performing WeSalute business.

• All WeSalute-owned wireless networks, including both corporate and guest networks, are to encrypt corporate network data in transit using WPA2-AES encryption.

Google Cloud & Acquia Cloud Data Encryption

• WeSalute uses Google Cloud and Acquia Cloud resources to store and encrypt sensitive data. All Google Cloud and Acquia Cloud resources are encrypted at rest by default, using Google Cloud-managed keys and Acquia-managed keys. For specific services, encryption can also be configured to use customer-managed encryption keys using Google Cloud Secret Manager or customer-supplied encryption keys. Google Cloud and Acquia server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256) or 128-bit Advanced Encryption Standard (AES-128), to encrypt WeSalute data.

Data in Transit

• The minimum acceptable TLS standard in use by the company is TLS v1.2

• All WeSalute public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider.

WeSalute Encryption Standards

SystemsOps is responsible for reviewing all encryption algorithms in use. The use of the Advanced Encryption Standard (AES) is strongly recommended for symmetric encryption. Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation. Algorithms in use must meet the standards defined for use in (NIST) publication FIPS 140-2 or any superseding document, according to date of implementation. The use of the RSA and Elliptic Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.

WeSalute Encryption Keys Creation & Storage Standards

Encryption Keys generated, stored, and managed by WeSalute

• Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.

• Key generation must be seeded from an industry standard random number generator (RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS PUB 140-2.

Auditing

SystemsOps will verify compliance to this policy through various methods, including but not limited to code reviews, periodic infrastructure and database reviews, Vanta platform monitoring, and internal and external audits. Feedback will be provided to the appropriate WeSalute Operations Team(s) upon completion of audits and reviews if remediation is required.

Exceptions

Any exception to this policy must be approved and logged by SystemsOps in advance, and placed on the risk register for monitoring and periodic review.

Policy Review, Disciplinary, & Responsibility

Disciplinary and Non-Compliance

Any Team Member found to have violated this policy may be subject to disciplinary action, up to and including employment termination.

warning

This Policy currently does not have the required policy footer content standard on WeSalute Policies. This may be intentional by the nature of the content.