End User Encryption Key Protection Policy

Version1.0.0 Last Updated2023-11-21 APPROVED

1. Overview

Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys used to secure sensitive data and hence, compromise of the data. While users may understand it’s important to encrypt certain documents and electronic communications, they may not be familiar with minimum standards for protecting encryption keys.

2. Purpose

This policy outlines the requirements for protecting encryption keys that are under the control of end users at AccuCode AI Inc. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key, and use of tamper-resistant hardware.

3. Scope

This policy applies to any encryption keys used for business purposes and to protect data owned by AccuCode AI Inc. The public keys contained in digital certificates are specifically exempted from this policy.

4. Policy

All encryption keys covered by this policy must be protected to prevent their unauthorized disclosure and subsequent fraudulent use.

4.1 Secret Key Encryption Keys

Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them. During distribution, the symmetric encryption keys must be encrypted using a stronger algorithm with a key of the longest key length for that algorithm authorized in AccuCode AI’s Acceptable Encryption Policy.

Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution of that key.

4.2 Public Key Encryption Keys

Public key cryptography, or asymmetric cryptography, uses public-private key pairs. The public key is included in the digital certificate issued to the end user. The private key should only be available to the end user to whom the corresponding digital certificate is issued.

4.2.1 AccuCode AI’s Public Key Infrastructure (PKI) Keys

The public-private key pairs used by AccuCode AI’s public key infrastructure (PKI) are generated and managed using Microsoft Azure. The private key associated with any encryption certificates must be escrowed in compliance with policies.

4.2.2 Other Public Key Encryption Keys

If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely using a password manager protected by 2FA. The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copy to the InfoSec team for secure storage in Azure Key Vault.

All backups, including escrow copies, shall be protected with a password or passphrase that is compliant with the Password Policy. InfoSec representatives will store and protect the escrowed keys as described in the Certificate Practice Statement Policy.

4.3 Hardware Token Storage

Hardware tokens storing encryption keys, such as YubiKeys, will be treated as sensitive company equipment when outside company offices. Hardware tokens will not be stored or left connected to any end user’s computer when not in use. For end users traveling with hardware tokens, they will not be stored or carried in the same container or bag as any computer.

4.4 Passwords and Passphrases

All passwords or passphrases used to protect encryption keys must meet complexity and length requirements described in AccuCode AI’s Password Policy.

4.5 Loss and Theft

The loss, theft, or potential unauthorized disclosure of any encryption key covered by this policy must be reported immediately to the InfoSec Team. InfoSec personnel will direct the end user in any actions that will be required regarding revocation of certificates or public-private key pairs.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.