Purpose and Scope
This policy defines Shuffl's requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, in order to protect the confidentiality, integrity, authenticity of Customer Personal Data as processed for sole use of our service as stated in our Terms and DPA.
This policy applies to all systems, equipment, facilities and information within the scope of Shuffl's information security program. All employees, contractors, part-time and temporary workers, service providers, and those employed by others to perform work on behalf of Shuffl having to work with Customer Personal Data are subject to this policy and must comply with it.
Background
This policy defines the high level objectives and implementation instructions for Shuffl's use of data encryption protocols, its respective cryptographic algorithms and keys. Shuffl adopts a standard approach to cryptographic controls across all work centers in order to ensure end-to-end security, while also promoting interoperability. This document defines the specific algorithms approved for use, requirements for key management and protection, and requirements for using cryptography in our cloud environments.
Policy
Shuffl protects the individual systems or information by means of cryptographic controls as defined in Table 1, Cryptographic Controls:
Information System | Cryptographic Tool | Encryption Algorithm | Key Size |
Public Key | OpenSSL | AES-256 | 256-bit key |
Data Encryption | OpenSSL | AES-256 | 256-bit key |
Virtual Private | OpenSSL and | AES-256 | 256-bit key |
Website SSL | OpenSSL, CERT | AES-256 | 256-bit key |
Except where otherwise stated, keys must be managed by their owners.
Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
When required, customers must be able to obtain information regarding:
The cryptographic tools used to protect their information.
The identity of the countries where the cryptographic tools are used to store or transfer cloud service customers’ data.
The use of organizationally-approved encryption must be governed in accordance with the laws of the country, region, or other regulating entity in which users perform their work.
Encryption must not be used to violate any laws or regulations including import/export restrictions.
The encryption used conforms to international standards and U.S. import/export requirements, and thus can be used across international boundaries for business purposes.
All key management must be performed using software that automatically manages access control, secure storage, backup and rotation of keys. Specifically:
The key management service must provide key access to specifically designated users, with the ability to encrypt/decrypt information and generate data encryption keys.
The key management service must provide key administration access to specifically-designated users, with the ability to create, schedule delete, enable/disable rotation, and set usage policies for keys.
The key management service must store and backup keys for the entirety of their operational lifetime.
The key management service must rotate keys at least once every 12 months.
Shuffl uses AWS Key Management Service, a managed service for creating and controling customer master keys (CMKs), the encryption keys used to encrypt data. AWS KMS CMKs are protected by hardware security modules that are validated by the FIPS 140-2 Cryptographic Module Validation Program.
Personally Identifiable Information
Personally Identifiable Information (“PII”), is classified as Confidential Information, which must be encrypted while stored at rest as well as in transit. Appropriate encryption technologies must be used to protect PII.
Access
Managing Partner of Technical Operations or their designee shall ensure:
Policies, procedures, scenarios, and processes must identify Confidential Information or PII that must be encrypted to protect against persons or programs that have not been granted access.
Shuffl implements appropriate mechanisms to encrypt and decrypt Confidential Information or PII whenever deemed appropriate.
Internal procedures shall specify how Shuffl transmits sensitive information as well as how often the information is transmitted.
When encryption is needed based on data classification to protect Confidential Information or PII during transmission.
Procedures shall specify the methods of encryption used to protect the transmission of Confidential Information or PII.
Logical user access is managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials) when disk encryption is used rather than file or column-level database encryption.
Encryption
Shuffl uses software encryption technology to protect Confidential Information or PII. To provide the highest level security while balancing throughput and response times, encryption key lengths should use current industry standard encryption algorithms for Confidential Information or PII.
At-Rest
Full disk encryption shall be the method of choice for user devices containing Confidential Information or PII.
Confidential Information or PII at rest on computer systems owned by and located within Shuffl's controlled spaces, devices, and networks should be protected by one or more of the following mechanisms:
Disk System Encryption
Use of Virtual Private Networks (VPN’s) and Firewalls with strict access controls that authenticate the identity of those individuals accessing the Confidential Information or PII
Sanitizing, redacting, and/or de-identifying the data requiring protection during storage to prevent unauthorized risk and exposure (e.g., masking or blurring PII)
Supplemental compensating or complimentary security controls including complex passwords, and physical isolation/access to the data
Strong cryptography on authentication credentials (i.e. passwords/phrases) shall be made unreadable during transmission and storage on all information systems
Password protection to be used in combination with all controls including encryption
File systems, disks, and tape drives in servers and Storage Area Network (SAN) environments are encrypted using industry standard encryption technology
Computer hard drives and other storage media that have been encrypted shall be sanitized to prevent unauthorized exposure upon return for redistribution or disposal
Utilizing AWS RDS Native Data At-Rest Encryption; AES-256 encryption algorithm encrypt all data on database instance.
In-Transit
In-transit encryption refers to the transmission of data between end-points. The intent of these policies is to ensure that Confidential Information or PII transmitted between companies, across physical networks, or wirelessly is secured and encrypted in a fashion that protects Confidential Information or PII from a breach.
The Managing Partner of Technical Operations shall ensure:
Formal transfer policies, protocols, procedures, and controls are implemented to protect the transfer of information through the use of all types of communication and transmission facilities
Users follow acceptable use policies when transmitting data and take particular care when transmitting or re-transmitting Confidential Information or PII received from external parties.
Strong cryptography and security protocols (e.g. TLS, IPSEC, SSH, etc.) are used to safeguard Confidential Information or PII during transmission over open public networks.
Only accepting trusted keys and certificates, protocols in use only support secure versions or configurations, and encryption strength is appropriate for the encryption methodology in use. 5
Public networks include but are not limited to the Internet, Wireless technologies, including 802.11, Bluetooth, and cellular technologies.
Confidential Information or PII transmitted in e-mail messages are encrypted.
Any Confidential Information or PII transmitted through a public network (e.g., Internet) to and from vendors, or customers must be encrypted or transmitted through an encrypted tunnel (VPN) or point-to-point tunneling protocols (PPTP) that include current transport layer security (TLS) implementations.
Encryption or a secured channel is required when users access Confidential Information or PII remotely from a shared network.
Secure encrypted transfer of documents and Confidential Information or PII over the internet uses current secure file transfer programs such as “SFTP” (FTP over SSH) and secure copy command (SCP).
Standard Controls Satisfied
TSC CC9.9