Cryptography & Secrets Policy
Document ID: DPWAT-ISMS-POL-005
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)
1. Device encryption
- Company-managed Macs must have FileVault enabled.
- Mobile devices used for DP WAT business must use biometric/passcode lock.
2. Secrets handling
- Store secrets (passwords, API keys, tokens, recovery codes) in approved password managers (DP WAT standard: iCloud Keychain and 1Password, as applicable).
- Do not store secrets in plaintext in documents, tickets, chat, or source code.
- Use environment variables and approved secret storage for deployments where applicable.
3. Data in transit
- Use TLS/HTTPS for communications.
- Do not bypass certificate warnings.
4. Rotation and incident response
- Rotate credentials when compromise is suspected/confirmed, when a user leaves, or when a key is exposed.
- Maintain evidence of rotations in incident records or change records where relevant.
5. Cryptographic standards
DP WAT relies on reputable providers for cryptographic implementation and does not implement custom cryptography. Approved tools use industry-standard algorithms:
| Tool | Encryption standard |
|---|---|
| FileVault (macOS) | XTS-AES-128 or XTS-AES-256 (Apple Silicon) |
| iCloud Keychain | AES-256-GCM |
| 1Password | AES-256-GCM |
| AWS Secrets Manager | AES-256 |
| Azure Key Vault | AES-256 (symmetric), RSA-2048+ (asymmetric) |
| TLS (data in transit) | TLS 1.2+ with modern cipher suites |
Customer-specific cryptographic requirements (e.g., FIPS compliance) are addressed per project as needed.