Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-8-1 – Cybersecurity requirements for cryptography must be defined, documented and approved.
Understanding the Requirement
This control requires an organization to create a clear, written cryptography policy that states what algorithms and solutions are allowed, how cryptographic keys are managed through their lifecycle, and when data must be encrypted based on sensitivity and applicable laws and regulations. The policy must be documented, operationalized, and formally approved by executive management so it has organizational authority and can be enforced.
Technical Implementation
- Inventory and classification: Start by identifying where cryptography is used (TLS for web, database at-rest encryption, file stores, backups, code signing, VPNs). Map each use to a data classification (public, internal, confidential, regulated) and note regulatory requirements (PCI, HIPAA, local data protection laws).
- Define approved algorithms and versions: Specify approved algorithms and minimum protocol versions (for example, TLS 1.2+ with AEAD ciphers, AES-256-GCM for symmetric encryption, ECDSA or RSA-2048+ for signatures, and disallow deprecated algorithms like MD5, SHA-1, RC4, or legacy CBC-mode without mitigations). Document restrictions (no custom or proprietary algorithms).
- Key lifecycle management: Document key creation, storage, usage limits, rotation schedules, backup, archival, and secure destruction. Use a managed Key Management Service (KMS) or HSM when possible. Enforce least-privilege access to keys, multi-person controls for key recovery, and automated rotation for certificates and keys where practical.
- Encryption in transit and at rest: Define when data must be encrypted—e.g., all regulated or confidential data must be encrypted in transit and at rest. Specify implementation controls like enforcing HTTPS with strong ciphers, enabling database encryption (TDE or application-level encryption), and encrypting backups and cloud storage with customer-managed keys if required.
- Approval, documentation, and change control: Create a short cryptography policy document and a one-page standards appendix (approved protocols, cipher lists, key lengths, rotation periods). Require executive sign-off and route any exceptions through a formal risk-acceptance process. Integrate crypto changes into your change control and vulnerability management processes.
- Monitoring, testing, and training: Log cryptographic errors and certificate issues, scan internet-facing systems for weak TLS settings, and periodically test key recovery and rotation. Provide concise developer guidance and training so teams know how to use approved libraries, avoid insecure patterns, and follow the policy.
Example in a Small or Medium Business
Acme Cloud Services, a 60-person SaaS company, created a short cryptography policy that lists approved algorithms, requires TLS 1.2+ for all web traffic, mandates AES-256-GCM for sensitive data at rest, and specifies AWS KMS for key storage. The CTO drafted the policy and the CEO gave formal approval, documenting the executive sign-off. Developers were given a two-page quick reference showing how to use platform SDKs with KMS and which cipher suites to avoid. The operations team implemented automated certificate provisioning and renewal for public endpoints and enforced disk and database encryption with customer-managed keys in their cloud environment. A quarterly review process was established to scan for weak TLS configurations, rotate keys as scheduled, and record any exceptions in a risk register that required senior management approval. Training sessions and a one-page cheat sheet reduced insecure ad-hoc cryptography in the codebase, and an incident playbook now includes steps for key compromise and recovery using documented backup keys and multi-person approval for recovery operations.
Summary
By documenting approved cryptographic standards, specifying key lifecycle practices, enforcing encryption based on data classification and legal requirements, and obtaining executive approval, SMBs create an authoritative, actionable cryptography program. Combining a short formal policy with practical technical controls—KMS/HSM use, enforced TLS and at-rest encryption, automated rotation and monitoring, and developer guidance—meets the control's intent and makes cryptography predictable, auditable, and manageable for the organization.
