Acceptable Encryption Policy

Introduction

The purpose of this policy is to supply with the general principles that limit the use of encryption to those algorithms that have received considerable public review and have been proven to work effectively.

Scope

This policy applies to all Staysure.co.uk employees and affiliates.

Policy

• It is strongly recommended to use the Advanced Encryption Standard (AES) for symmetric encryption.
• It is strongly recommended to use the RSA and Elliptic Curve Cryptography (ECC) algorithms for asymmetric encryption.
• In general, Staysure company adheres to the NIST Policy on Hash Functions.
• Diffie-Hellman, IKE, or Elliptic curve Diffie-Hellman (ECDH) Key exchanges must be used.
• End points must be authenticated before exchanging the key or derivation of session keys.
• Public keys used to establish trust must be authenticated prior to use.
• All servers and applications using SSL or TLS must have the certificates signed by a known, trusted provider.
• Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or compromise.

This Policy must be verified and accepted by the Infosec team through different methods.

Any employee found to have violeted this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.

Database Credentials Coding Policy

Introduction

For an application to connect to the internal database it is necessary to authorize through the database authentication credentials. But incorrect use, storage and transmission of such credentials will lead to compromise of very sensitive data.

Scope

This policy is for all system implementer and software engineers who work on coding applications that will access database server on the Staysure Network.

Policy

• To maintain the security of Staysure’s internal databases, access by software programs must be granted only after authentication with credentials.
• The credentials used for this authentication must not reside in the main, executing body of the program.
• Database credentials must not be stored in a location that can be accessed through a web server.

• Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authentication
• Database credentials may not reside in the documents tree of a web server.
• Passwords or pass phrases used to access a database must adhere to the Password Policy.

• Every program must have unique database credentials. Sharing of credentials between programs is not allowed.
• Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password Policy

This Policy must be verified and accepted by the Infosec team through different methods.

Any employee found to have violeted this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.

Any program code or application that violates this policy must be remediated within a 90 day period

Web Application Security Policy

Introduction

The largest portion of attack vectors outside the malware is accounted by the Web applications. It is necessary that any web application prior to production deployment should be assessed for vulnerabilities.

Scope

This policy is for assessments of all web applications for maintaining the security posture, compliance, risk management, and change control of technologies in use at Staysure.co.uk

Policy

• New Application Releasewill be subject to a full assessment prior to release into the live environment.
• Third Party Web Applicationwill be subject to full assessment after which it will be bound to policy requirements.
• Patch Releaseswill be subject to an appropriate assessment level based on the risk of the changes to the application functionality and architecture.
• Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment.
• A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide
• A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
• A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.

This Policy must be verified and accepted by the Infosec team through different methods.

Any employee found to have violeted this policy will be dealt with in accordance to Staysure disciplinary procedures. This may lead to a termination of employment for employees and termination of contract for service providers.