Cryptography Policy¶
Document ID: POL-006 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (A.8.24) | SOC 2 (CC6.1, CC6.7)
1. Purpose¶
This policy defines the requirements for the use of cryptographic controls to protect the confidentiality, integrity, and authenticity of information at CTW Data Solutions GmbH.
2. Scope¶
All cryptographic operations across CTW Data Solutions systems including data encryption, key management, digital signatures, and secure communications.
3. Cryptographic Standards¶
3.1 Approved Algorithms¶
| Use Case | Algorithm | Minimum Strength |
|---|---|---|
| Data at rest | AES-256-GCM | 256-bit |
| Data in transit | TLS 1.3 (preferred), TLS 1.2 (minimum) | 256-bit |
| Hashing | SHA-256, SHA-384, SHA-512 | 256-bit |
| Digital signatures | RSA-2048+, ECDSA P-256+ | 2048-bit RSA / 256-bit ECC |
| Key exchange | ECDHE, X25519 | 256-bit |
3.2 Prohibited Algorithms¶
| Algorithm | Reason |
|---|---|
| MD5 | Cryptographically broken |
| SHA-1 | Collision vulnerabilities |
| DES / 3DES | Insufficient key length |
| RC4 | Known biases and vulnerabilities |
| TLS 1.0 / 1.1 | Deprecated; known vulnerabilities |
| SSLv3 | POODLE and other attacks |
4. Key Management¶
4.1 Key Storage¶
- All cryptographic keys are stored in Azure Key Vault (FIPS 140-2 Level 2 certified)
- Keys must never be stored in source code, configuration files, or environment variables
- Hardware Security Modules (HSMs) are used for Top Secret key material
4.2 Key Lifecycle¶
| Phase | Requirement |
|---|---|
| Generation | Keys generated using Azure Key Vault or equivalent CSPRNG |
| Distribution | Keys distributed only via secure, encrypted channels |
| Rotation | API keys: customer-managed rotation (recommended every 90 days); SSL/TLS certificates: auto-rotation via Azure Key Vault |
| Revocation | Immediate revocation upon suspected compromise |
| Destruction | Cryptographic erasure; documented in key management log |
4.3 Key Access¶
- Access to key management operations is restricted to ISO and Infrastructure Owner
- All key operations are logged in Azure Key Vault audit log
- Key access is reviewed quarterly as part of the Access Review
5. SSL/TLS Configuration¶
- TLS 1.3 is the default for all external-facing services
- TLS 1.2 is the minimum acceptable version
- HSTS is enabled with a minimum max-age of 1 year
- Certificate pinning is implemented for the Quick-ID API
- Certificate expiry is monitored with automated alerts (30, 14, 7 days)
6. Data Encryption¶
| Data State | Encryption Requirement |
|---|---|
| At rest (Azure) | Azure Storage Service Encryption (AES-256) — enabled by default |
| At rest (devices) | Full-disk encryption mandatory (FileVault / BitLocker) |
| In transit (external) | TLS 1.3 enforced |
| In transit (internal) | TLS 1.2+ enforced |
| Backups | Encrypted using Azure-managed keys |
7. Compliance¶
This policy supports compliance with:
- GDPR Article 32 — encryption as a technical measure
- ISO 27001 A.8.24 — use of cryptography
- SOC 2 CC6.1, CC6.7 — logical and system security, data transmission
8. Review¶
This policy is reviewed annually or when changes to cryptographic standards require updates.
Approved by: CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026