PPPR-04

Can you accommodate encryption requirements using open standards?

Explanation

This question is asking whether your organization can implement encryption using open standards rather than proprietary encryption methods. Open standards for encryption are publicly available specifications for implementing encryption algorithms and protocols. Examples include AES (Advanced Encryption Standard), TLS (Transport Layer Security), RSA, and other widely accepted encryption standards that have been thoroughly reviewed by the security community. Why this matters in a security assessment: 1. Interoperability: Open standards ensure your encrypted data can work with other systems and services. 2. Security validation: Open standards have typically undergone extensive peer review and testing. 3. Avoiding vendor lock-in: Proprietary encryption might tie you to specific vendors. 4. Regulatory compliance: Many regulations specifically require the use of open encryption standards. 5. Future-proofing: Open standards are more likely to be supported long-term. The assessor wants to confirm you're not using obscure, proprietary, or "home-grown" encryption methods that haven't been properly vetted by security experts. The security principle "don't roll your own crypto" is relevant here - creating custom encryption is extremely risky and almost always less secure than established standards.

Example Responses

Example Response 1

Yes, our organization fully supports and implements encryption using open standards We use AES-256 for data at rest encryption, TLS 1.2/1.3 for all data in transit, and RSA-2048 or higher for asymmetric encryption needs Our key management practices follow NIST guidelines, and we support standard protocols like HTTPS, SFTP, and IPsec for secure communications We regularly review our encryption implementations to ensure they remain compliant with current standards and best practices.

Example Response 2

Yes, we implement encryption using open standards across our entire infrastructure and application stack For data at rest, we use FIPS 140-2 validated encryption modules implementing AES-256 All network communications are secured using TLS 1.2+ with strong cipher suites as recommended by NIST SP 800-52r2 We support standard encryption protocols like SSH, HTTPS, and S/MIME Our cryptographic implementations are regularly reviewed by third-party security firms to ensure proper implementation of these open standards.

Example Response 3

Partially While we do use some open standards like TLS 1.2 for web traffic and HTTPS for our customer-facing portal, our core application uses a proprietary encryption algorithm developed in-house for historical reasons This custom encryption method was developed before widespread adoption of current standards and is deeply integrated into our legacy systems We recognize this is not ideal from a security perspective, and we have a 12-month roadmap to migrate all proprietary encryption to AES-256 and other open standards, but we cannot currently accommodate all encryption requirements using open standards.

Context

Tab
Organization
Category
Policies, Processes, and Procedures

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron