• Enterprise Encryption Standards

    I. Purpose

    To provide information about the security, method(s) and usage of encryption on Kelly Services technology assets.

    II. Persons Affected

    All full-time, part-time, or temporary employees for Kelly Services issued or who access a Kelly Services technology asset.

     

    III. Standard

    Kelly Services recognizes that in order to meet compliance, customer and privacy requirements the usage of encryption to protect confidential, private, non-public data is required.

     

    Kelly’s standards are outlined by technology asset type (e.g. laptop, mobile device, email, etc…); and reference any other applicable standard that supports or supersedes the encryption standard requirements.

     

    III a. Mobile Device Encryption:

    In order for employees to be eligible to utilize their mobile device on Kelly Services email platform the device must be compliant with the Mobile device standard and participant agreement document.  Devices listed within the Mobile device standard support at a minimum:

    • Inclusive encryption of devices storage (local and external)
    • AES (Advanced Encryption Standard) 256 bit encryption
    • Remote security wipe of both data storage area and encryption key also known as “crypto-shredding”

     

    III b. Email Encryption [S-MIME]:

    In order for employees to securely process and email confidential information; employees will be required to utilize e-mail based encryption.

    • Users will be required to utilize a certificate issued from the Kelly Services CA
    • If encryption with external parties is required users will be required to request a digital ID certificate from via the Hotline from COMODO or another approved 3rd party public Certificate Authority.
    • Certificates will be digitally signed to the primary SMTP address defined within Kelly Services BPOS service
    • Digital ID Certificates must have a hash algorithm of SHA 1
    • Digital ID Certificates must utilize at lease AES (Advanced Encryption Standard) 256 bit encryption
    • Users are required and responsible for publishing their latest Digital ID to the Kelly Services BPOS GAL (Global Address List)

    III c. Email Encryption [PGP]:

    In order for employees to securely process and email confidential information to customers who require the utilization of PGP encryption.

    • Users will be required to utilize a certificate generated during the PGP install
    • Users who require PGP will need their business unit to fund the acquisition of a PGP usage license (apx $130 per seat with a $30 dollar annual renewal)
    • Users will need to contact the HOTLINE and have a case opened for the installation and configuration of PGP
    • Certificates will be generated to meet customer requirements or at least AES (Advanced Encryption Standard) 256 bit encryption.  Customer certificate strength will take priority over the Kelly minimum requirement if provided
    • Users are responsible for sharing their public PGP with the customer as needed

     

    III d. Email Encryption [Department of Defense ECA Digital ID]:

    In order for employees to securely process and email confidential information to DoD and other government related customers.

    • Users will be required to utilize a Digital ID that is ECA signed
    • Users who require ECA signed Digital IDs will need their business unit to fund the acquisition of ECA Digital ID (apx $120 per seat annually) using a Credit Card
    • Users will need to contact VeriSign and register online [https://eca.verisign.com/enrollintro.htm]
    • Certificates will be generated to meet FIPS 140-1/2 Level 1 [AES (Advanced Encryption Standard) 256 bit encryption].
    • Users are responsible for sharing their public ECA with the customer as needed
    • Users will be required to have their ECA application notarized

     

    III e. USB Device Encryption:

    For employees to securely process and transfer confidential information using USB Storage Devices; users who are required by customer agreement or are legally required to by law such as Massachusetts Data Privacy.

    • Users who require secure USB storage devices will need their business unit district manager to APPROVE and FUND the acquisition of an IRONKEY Enterprise D200 (apx $80 per seat, with a $25 per seat annual fee)
    • Users will need to contact Kelly Services IT Security to acquire and provision the IRONKEY product once approval and funding has been received.
    • Secure USB Storage must be FIPS 140-2 Level 3 certified
    • Secure USB Storage must use at least AES (Advanced Encryption Standard) 256 bit encryption
    • Secure USB Storage device must prevent brute force based attacks (multiple guesses of the password to gain access)
    • Secure USB Storage device must support remote security wipe of both data storage area and encryption key also known as “crypto-shredding”\

     

    III f. Laptop Storage Encryption:

    For employees who are required by customer agreement or are legally required to by law such as Massachusetts Data Privacy to have all customer related data encrypted at rest while using a portable device such as a Kelly Services issued Laptop.

    • Kelly Services Laptop Encryption standard is Hardware based Whole Disk Encryption utilizing Seagate Momentus 7200 FDE.2  laptop hard disk [ST9250411AS or later]
    • Users who require laptop encryption will need their business unit district manager to APPROVE and FUND the acquisition of Seagate Momentus 7200 FDE.2  laptop hard disk (apx $80 per seat)
    • Users will need to contact the HOTLINE to acquire and provision the laptop self encrypting drive product once approval and funding has been received.
    • Secure Self Encrypting Hard Disks must be at least FIPS 140-2 Level 2 certified
    • Secure Self Encrypting Hard Disks must use at least AES (Advanced Encryption Standard) 256 bit encryption
    • Secure Self Encrypting Hard Disks must prevent brute force based attacks (multiple guesses of the password to gain access)
    • Secure Self Encrypting Hard Disks device must support the usage of multiple authentication accounts / user levels (e.g. each user has their own password to authenticate to the device)
    • Secure Self Encrypting Hard Disks must utilizes a Pre-Boot authentication method to authenticate the user to the device

     

    III g. File Transfer Encryption:

    In order for employees to be eligible to utilize the central Kelly Services File Transfer Service for business and customer needs the transfer process must be compliant and approved per the Kelly Services File Transfer Request Form document.  All file transfers must be encrypted at a minimum using at least one of the following forms:

    • Secure FTP via TCP port 21
    • Secure file transfer using SCP via TCP port 22
    • SSL (128 bit – using AES algorithm) web-portal transfer via TCP port 443
    • PGP encrypted archive AES (Advanced Encryption Standard) 256 bit encryption

     

    III g. Web Site SSL Encryption:

    In order for employees and customers and other individuals to securely interact with Kelly Services different web based applications in a secure fashion, protecting data entered in to web based applications sessions should utilize SSL to encrypt the data.

    • SSL services must be SSLv3 / TLS v1.2
    • SSL (128 bit – using AES algorithm) web-portal transfer via TCP port 443
    • Internal based applications should have certificates issued from the Kelly Services CA environment.   All others should utilize a publicly accessible 3rd party certificate from a CA such as VeriSign 

     

    V. Enforcement-

    Kelly Services reserves the right to audit, review and take action necessary on any device found to be in violation to both the Kelly Services AUP and this standard.  

     

    VI. Revisions

    • 7/2/10 – Version 2.2 of Encryption Standard: Additional standard added (SSL) & Updated other standards based on feedback from IT Security team.
    • 7/1/10 – Version 2 of Encryption Standard: Document layout change, content added.
    • 6/12/10 – Version 1 of Encryption Standard: Draft.

     

    VII. Definitions

-->