Introduction
This policy is part of the medDigital ISMS and must be fully complied with.
It is critical that all information assets are afforded appropriate levels of encryption and that
the encryption used evolves over time, in line with industry best practice.
medDigital has taken the view that all of our information assets should be encrypted at rest
irrespective of their classification, and that the minimum level of encryption shall be AES
with a 256-bit key.
Scope
This policy applies to all information assets as defined in the Asset Management Policy.
Laptop & Desktop Computers
Laptop & desktop computers must have a standard medDigital operating system image installed to ensure
that workstations are identical and contain a known good configuration.
All laptops & desktop computers must have access to the provided encrypted network storage, the M drive.
The M drive is encrypted in transit, at rest, provides version control and is backed up every 30 minutes
with an unlimited retention period. Use of the M drive is also audited.
All medDigital information must be stored on the M drive and all local disks must encrypted.
Mobile Devices
Mobile devices must support AES-256 encryption of local storage and this must be enabled at all times.
Mobile devices must have the latest version of the MDM application, Okta, installed, at all times.
Servers
Application servers must use a minimum of TLS 1.2 when communicating with network clients. Connection attempts
that are not encrypted or cannot use the TLS 1.2 standard must be rejected.
All databases must be AES-256 encrypted at rest. Passwords stored in these databases must be one-way
hashed using a strong algorithm. Under no circumstances must passwords be stored in plain-text or be
decryptable.
Key Management
Private key files are sensitive and should only be present where they are technically required, such as
at a TLS endpoint. Access to the keys themselves should be restricted to IT.
TLS Certificates
Certificates must be obtained from an approved, competent, certificate provider. medDigital has selected
DigiCert, LetsEncrypt and Amazon Web Services as competent providers.