Cryptographic controls - policy - Kunnskapsbasen
Cryptographic controls - policy
Policy for cryptographic controls.
Norwegian version - Retningslinje for kryptografiske kontrollere
- Document type: Topic specific policy
- Managed by: CISO, Digital Security Section
- Approved by: Director of Organization and Infrastructure
- Valid from: 01.01.2025
- Next revision within: 01.01.2027
- Classification: Open
- Reference ISO: ISO 27002:2022; 811, 8.24
- Reference NSMs principles for ICT-security : NSM Cryptographic Recommendations, NSM’s General Principles for Information Security: 2.2.1,2.4.2,2.7.1-2.7.4
- Reference Law/Rule: eGovernment regulations (eForvaltningsforskriften)
- Reference internal documents: ICT Regulation and superior Policy for Information Security
Purpose
The purpose of the "Policy for Cryptographic Controls" is to ensure that NTNU uses cryptographic methods to protect data and information during transmission and storage, in accordance with best practice and regulatory requirements.
Applies to
The "Policy for Cryptographic Controls" applies to all employees at NTNU, as well as students who process sensitive or classified information in accordance with the policy for information classification.
Roles and responsibilities
Information security work affects the organization at all levels. Responsibility and authority for information security follow the standard line management structure. All roles within the governance system are defined in the Information Security Policy
The Head of the IT Department, the Head of the Section for IT Infrastructure, and CISO/the Head of the Section for Digital Security have key roles in the implementation and follow-up of the Policy for Cryptographic Controls.
General Principles
a. NTNU shall comply with the "NSM Cryptographic Recommendation"
b. NTNU shall at all times employ the strongest available cryptographic mechanism where practicable. Where feasible, quantum-safe algorithms shall be utilised when information is transmitted over the internet
c. NTNU shall encrypt local storage for all end-user equipment (workstations, laptops, tablets and mobile telephones) to prevent information from being compromised in the event of loss of equipment
d. The requirement for encryption of equipment in laboratories shall be assessed on the basis of confidentiality, integrity and practicability requirements
e. All wired and wireless connections shall be encrypted
Digital Certificate
Digital certificates are unique data files that can be used as digital credentials. They can be issued to websites, programs, organizations (business certificates), and individuals (personal certificates) and are intended to ensure the integrity of digital communication.
TLS Certificates
a. All domains owned by NTNU must use TLS certificates issued by an authorized and approved Certificate Authority (CA).
b. NTNU must have a DNS CAA record to restrict certificate issuance to approved and authorized Certificate Authorities.
c. Domains owned by NTNU must only support connections using TLS 1.2 or newer.
d. Domains owned by NTNU must be validated using Organization Validation (OV) certificates.
Business Certificates
a. Business certificates are used for:
- Signing – a business certificate is NTNU’s legal and digital signature and can be used wherever the rector or chief financial officer would need to sign.
- Authenticating – logging into Altinn and other public services.
- Encrypting – securing communication.
b. Business certificates are managed by the Digital Security Section and operated by the IT Infrastructure Section.
c. NTNU should differentiate between research and administration when using business certificates.
d. The need for a business certificate should be approved by the Digital Security Section.
e. The Digital Security Section can revoke a business certificate in case of misuse.
Personal Certificates
Personal certificates can be used to sign documents (digital signature) and verify the sender in emails.
a. All managers at NTNU should have a personal certificate to sign emails.
b. Anyone working with security and emergency preparedness at NTNU must have a personal certificate.
c. Personal certificates must not be used for purposes other than official duties, as specified in §19 eForvaltningsforskriften.
Encryption
a. Encrypted hard drives must use XTS-AES with:128-bit encryption for Confidential classification 256-bit encryption for Strictly Confidential / Restricted classification. Storage of Restricted material requires separate authorisation and approval beyond encrypted hard disk storage
b. For general encryption:AES-GCM may be used for data classified up to Confidential AES-GCM 256 must be used for Strictly Confidential / Restricted data
c. Encryption keys must be stored securely.
d. Password Requirements for File Encryption
- Confidential information: Minimum 20 characters with high complexity (uppercase, lowercase, numbers, and special characters)
- Strictly Confidential information: Minimum 30 characters with high complexity
| Classification | General encryption | Storage Media / Hard Drive Encryption |
| Restricted* | AES-GCM (AES-256) | XTS-AES (AES-128) |
| Strictly Confidential | AES-GCM (AES-256) | XTS-AES (AES-256) |
| Confidential | AES-GCM (AES-128) | XTS-AES (AES-128) |
| Internal | AES-GCM (AES-128) or strongest suitable | XTS-AES (AES-128) or strongest suitable |
| Public | No requirement, but strongest suitable recommended | No requirement, but strongest suitable recommended |
* Restricted classification requires separate system authorization and approval, regardless of encryption.
Cryptographic Deletion
During cryptographic deletion, the key to the encrypted device is erased to make it extremely difficult to recover the data.
a. Cryptographic deletion must be performed in a controlled manner to verify that the key cannot be recovered.