UCL Research Data Information Security Management System Cryptography Policy #

Document Name: RISM10-Cryptography_Policy

Author: Tim Machin

Classification: Public

Version: 1.1

Last Review Date: 11/04/2025

Last Reviewed by: Angharad Green

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 Years

1. Scope #

This policy is to define the minimum requirements for encryption on information systems within the scope of the Research Data ISMS. This includes:

• Data at rest (e.g. files, databases)
• Data in transit (e.g. network traffic)
• System communications and user access control

2. Conventions used in this Document #

3. Cryptographic Standards #

• All cryptographic algorithms, protocols, and key lengths shall meet or exceed the industry standards (e.g., AES-256, RSA-2048, SHA-256) and comply with legal and regulatory requirements.
• Deprecated or insecure algorithms (e.g., MD5, DES) shall not be used for any purpose.

4. Key Management #

• Keys shall be stored securely and protected against unauthorized access, modification or loss.
• Cryptographic keys shall be changed periodically and when a key is compromised.

5. Encryption of Data #

• All sensitive data should be encrypted at rest. Where this is not possible, other controls must be in place to prevent access to data if the storage medium is compromised.
• All sensitive data should be encrypted in transit between components of a Trusted Research Environment (TRE). Where this is not possible other controls must be in place to prevent unauthorised access to data.
• Data shall be encrypted when in transit between a TRE and an external network.

6. Digital Signatures and Certificates #

• Certificates should be managed through a formal process including renewal, revocation, and auditing.
• Automated Certificate Management should be used where possible to manage the renewal of certificates.