- All data transmission is encrypted end to end using encryption keys managed by LifeWIRE. Encryption is not terminated at the network end point, and is carried through to the application.
- Transmission encryption keys and machines that generate keys are protected from unauthorized access. Transmission encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
- Transmission encryption keys use SSL with 2048-bit RSA keys, or keys and ciphers of equivalent or higher cryptographic strength (e.g., 256-bit AES session keys in the case of IPsec encryption).
- Transmission encryption keys are limited to use for one year and then must be regenerated.
- In the case of LifeWIRE provided APIs, provide mechanisms to assure person sending or receiving data is authorized to send and save data.
- System logs of all transmissions of Production Data access. These logs must be available for audit.
17.10 Data Classification
Information assets are classified according to their level of sensitivity as follows:
• Level 1: Low-sensitive information. Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy.
• Level 2: Sensitive information that may not to be protected from public disclosure, but if made easily and readily available, the organization follows its disclosure policies and procedures before providing this information to external parties.
• Level 3: Sensitive information intending for limiting business use that can be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of employees, clients, or partners.
• Level 4: Information that is deemed extremely sensitive and is intended for use by named individuals only. This information is typically exempt from public disclosure. Users of information systems are notified and made aware when the data they are accessing contains PII.(pg.248 CSF v9.3)
All Data maintained in LifeWIRE systems shall be classified as Level 4, assumed to contain PHI. All Level 4 Data shall be encrypted. Any unencrypted data on the Production system shall be treated by the Privacy Officer as a Breach and treated according to Breach Policy 12.2.
Data Security Classifications shall be reveiwed by the Privacy Officer at least annually.