medCrowd requires JavaScript - please enable JavaScript in your browser if you wish to use App.

Skip to Content

  Please use the latest version of a supported browser with JavaScript enabled:     Got it - don't show me this again


SUPPORTED MOBILE BROWSERS
ANDROID AND IOS
  • Chrome
  • Firefox
ANDROID ONLY
  • Android v5.0+
IOS ONLY
  • Safari
WINDOWS 10 MOBILE
  • Edge
SUPPORTED DESKTOP BROWSERS
WINDOWS AND MAC
  • Chrome 12+
  • Firefox 16+
  • Opera 15+
MAC ONLY
  • Safari 6+
WINDOWS ONLY
  • Edge
  • Internet Explorer 10+
Compliance ISO 27001

Cryptography Policy

Classification Public
Location https://www.medcrowd.com/compliance/iso27001/policies/Cryptography
Author Paul Gardner
Approver Felix Jackson
Approved 2nd February 2017
Date Author Changes
19th June 2023 Paul Gardner Periodic review
6th June 2022 Paul Gardner Periodic review
16th February 2021 Paul Gardner Periodic review
12th February 2020 Paul Gardner Periodic review
15th May 2018 Paul Gardner Updated to reflect the migration to M:\
2nd February 2017 Paul Gardner Amazon Web Services is now an approved certificate provider
14th November 2016 Paul Gardner Moved to the web
31st May 2016 Paul Gardner Specifically state that the X:\ drive has unlimited retention
17th May 2016 Paul Gardner Change location of policy
Split removable media out from mobile devices into its own section
29th July 2015 Paul Gardner Periodic review
8th September 2014 Paul Gardner Rebranding
1st July 2014 Paul Gardner Initial revision

Introduction

This policy is part of the medDigital ISMS and must be fully complied with.

It is critical that all information assets are afforded appropriate levels of encryption and that the encryption used evolves over time, in line with industry best practice.

medDigital has taken the view that all of our information assets should be encrypted at rest irrespective of their classification, and that the minimum level of encryption shall be AES with a 256-bit key.

Scope

This policy applies to all information assets as defined in the Asset Management Policy.

Laptop & Desktop Computers

Laptop & desktop computers must have a standard medDigital operating system image installed to ensure that workstations are identical and contain a known good configuration.

All laptops & desktop computers must have access to the provided encrypted network storage, the M drive. The M drive is encrypted in transit, at rest, provides version control and is backed up every 30 minutes with an unlimited retention period. Use of the M drive is also audited.

All medDigital information must be stored on the M drive and all local disks must encrypted.

Mobile Devices

Mobile devices must support AES-256 encryption of local storage and this must be enabled at all times.

Mobile devices must have the latest version of the MDM application, Okta, installed, at all times.

Servers

Application servers must use a minimum of TLS 1.2 when communicating with network clients. Connection attempts that are not encrypted or cannot use the TLS 1.2 standard must be rejected.

All databases must be AES-256 encrypted at rest. Passwords stored in these databases must be one-way hashed using a strong algorithm. Under no circumstances must passwords be stored in plain-text or be decryptable.

Key Management

Private key files are sensitive and should only be present where they are technically required, such as at a TLS endpoint. Access to the keys themselves should be restricted to IT.

TLS Certificates

Certificates must be obtained from an approved, competent, certificate provider. medDigital has selected DigiCert, LetsEncrypt and Amazon Web Services as competent providers.