Encryption consists of making data illegible to an unauthorised third party and preventing them from saving or transferring the data. The use of this method is recommended when transferring information classed as vital and confidential for the “organisation”, in particular during email communications. The choice of encryption method falls to the IT manager. If necessary they may consult with external specialists. (SMEs: see Interception of communications).
Some examples of free encryption tools:
VeraCrypt is a free encryption software program with which you can encrypt a whole hard drive or create encrypted containers into which you can place sensitive files. These containers can be located on a hard drive, a file server or even on removable devices. It is easy to use and reliable from a security point of view.
7Z is a free tool used to compress and archive files. This tool also has a AES 256-bit strong encryption option. It can therefore be used to transfer confidential encrypted files on removable devices or by email since the files are located in a compressed archive.
It is a symmetrical encryption tool like truecrypt, so you need to exchange the encryption key securely with the recipient. Use a channel that is safe but different to the one used for the transfer of data. You can, for example, send the key by post, fax or SMS, or hand it to them in person.
The CSSI and the key administrator are responsible for the encryption process.
The CSSI defines a secure location (typically a safety-deposit box classified as SECRET) in which copies of the keys made available to users are kept. The deposit has no backup. In the event they are destroyed, the key administrators should deposit their cases again.
Applicable security measures:
This is the same procedure as detailed above, except for the four-eyes principle, as only the CSSI may access the safety-deposit box. This is why they may keep keys in electronic form (in a sufficiently protected container). They can replace the key identifier with the key itself. The CSSI does, however, have to ensure that their safeguards can also enable access to the key file.
The author of the key drafts a form, noting down the key, and encloses it in the presence of the person responsible for the safety-deposit box, after having shown this person the form, solely for sufficient time for this person to see that the form has been fully completed and that the quality of the key is sufficiently good.
The person responsible for the deposit updates the deposit inventory and has it signed by the author of the added key.
No key can be removed from deposit. In the case of usage, authorised persons may come and consult it:
The following are authorised:
Any export of the safety-deposit box inventory shall be signed by the person who examined the key, as well as the safety-deposit box managers.
On written request by the author and validated by the manager of the information protected, the safety-deposit box managers proceed with the destruction of a key. To this end, they destroy the envelope with the key inside in a document destroyer, after having verified the destruction request.
The inventory is updated, keeping the destruction request as proof of legitimisation.
An electronic signature is a method used to guarantee the authenticity of the source of a message (sender), and the integrity of its contents.
This technology should be implemented during dialogue via email with external entities which may represent a commitment for the “organisation”. It is the responsibility of the IT manager to implement this technology for users.
Electronic signatures can be affixed to documents and to emails. The signature guarantees the authenticity of the sender, as well as the integrity of the contents of the file relating to the message.
All types of organisation need to monitor risks relating to the exploitation of technical vulnerabilities which have been subject to publication.
To do this, they should introduce an effective and systematic management of technical vulnerabilities for all their operating systems and network equipment. This is done through the application of corrective or other tools designed to prevent the exploitation of technical vulnerabilities. Monitoring the measures undertaken will enable their actual effectiveness to be gauged.