S 2.166 Provisions governing the use of crypto modules

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

An encryption module must meet a host of security requirements, even during live operation. The modules must be integrated adequately into the technical and organisational environment they are used in.

For this, some organisational regulations must be taken:

• Persons in charge of drawing up the encryption concept, selecting the cryptographic products, and securely operating the cryptographic products must be appointed.
• Suitable personnel measures must be defined and/or implemented (training, user support, representation arrangements, obligations, assignment of roles).
• The users must not only be trained regarding the handling of the encryption modules they are to operate, they must furthermore be made aware of the benefit and necessity of the cryptographic procedures and be provided with an overview of basic cryptographic terms (see also S 3.23 Introduction to basic cryptographic terms).
• If problems arise or security incidents are suspected when using encryption modules, the actions to be taken in such cases must be clearly defined. All users must be informed about the corresponding behavioural rules and reporting paths.
• Within the framework of the encryption concept, it must be defined who must and/or may use which encryption products at what time and which general conditions must be observed in so doing (e.g. key depositing).
• The proper use of the encryption modules should be checked regularly. Likewise, it must be checked regularly whether the cryptographic procedures used are still state of the art (see also S 2.35 Obtaining information on security weaknesses of the system).
• Depending on the defined availability requirements, backup encryption modules should be kept in stock in order to ensure smooth operation. This is particularly important if the access to encrypted data depends on the functionality of an individual encryption module, e.g. during data archiving or ISDN encryption.

Secure operation of the encryption modules must be guaranteed, including the following:

• The optimal configuration of the encryption modules must be defined before commissioning, e.g. regarding key length, modes of operation, or encryption algorithms.
• The configuration selected must be documented so that it can be set up again quickly after a system failure of if re-installation becomes necessary.
• For the users, the encryption products must be pre-configured by the administrator in such a way that a maximum level of security can be achieved without any further action by the users.
• For more complex encryption products, suitable manuals must be available.
• The encryption modules must be installed securely and tested afterwards (e.g. for proper encryption and whether they can be operated by the users).
• The requirements for the application environment must be defined; additional safeguards may have to be taken in the IT environment for this. The security-related requirements for the IT systems the cryptographic procedures are used on can be found in the respective system-specific modules, e.g. for clients (including laptops) and for servers from layer 3.
• It must be defined who must maintain the encryption modules and how often.

Diverse specifications are also required for key management (see S 2.46 Appropriate key management):

• specifications for key generation and selection,
• specifications for secure storage of cryptographic keys,
• definition of the key change strategy and intervals.

Review questions:

• Are persons in charge of drawing up the encryption concept, selecting the cryptographic products, and securely operating the cryptographic products appointed?
• Have users and administrators received sufficient training regarding the handling of the encryption modules they must operate?
• Have the users been made aware of the benefit and necessity of cryptographic procedures and were they provided with an overview of basic cryptographic terms?
• Are all users informed about behavioural rules and reporting paths regarding the use of encryption modules for problems or when suspecting a security incident?
• Has it been defined within the framework of the encryption concept who must and/or may use which encryption products at what time?
• Are the proper use of the encryption modules and the up-to-dateness of the encryption procedure used checked regularly?
• Are encryption modules kept in store in the event of high availability requirements?
• Is the optimal configuration of the encryption modules defined before commissioning?
• Are the encryption modules installed securely and tested for proper operation?
• Are the requirements for the application environments of the encryption modules defined?
• Is there a definition as to how often the encryption modules must be maintained?