Your vendors should implement robust encryption practices with respect to confidential information. Examples of best practices include:  

1. Passwords and trade secret information should be encrypted in transmission and at rest.  

2. Data should be encrypted if required by law using a solution that meets the legal and regulatory requirements for data encryption.  

3. Encryption key management practices should be in place to ensure the confidentiality of information.

4. Encryption keys should be protected from unauthorized use, disclosure, alteration, and destruction, and should have a backup and recovery process.

5. If a private encryption key is compromised, all associated certificates should be revoked.


DOWNLOAD FREE EBOOK: The Ultimate Guide to Collaborative Vendor Compliance


6. Encryption keys should have a defined lifetime after which they are securely destroyed.  Vendors handling trade secret information should change encryption keys at least once every 12 months.  

7. The minimum key length requirements for all systems that process customer information requiring encryption should be (unless otherwise required by local law):

  • Minimum 256 bit symmetric keys  
  • Minimum 2048 bit public (asymmetric) keys, or 256 bit elliptic curve  

8. Company credentials should be encrypted in storage and transmission. Therefore, using insecure protocols such as file transfer protocol (FTP) and Telnet should not be permitted.  

9. Trade secret Information should be transmitted using then-current Transport Layer Security (TLS) (1.2 or greater).

10. All browser connections to customer applications should support SHA2 certificates and TLS 1.2 connections.

11. Mail servers should be configured to require TLS 1.2 connections. The vendor domain, e.g., company123.com, should be added to customer’s TLS required list and vice versa; the customer domain should be added to the vendor TLS required list.

12. All symmetric encryption should employ the AES algorithm.

13. Certificates for consumer applications and business-to-business applications should be signed by a commercial Certificate Authority.

14. Self-signed certificates should not be used by vendors.

Remember that any reference to “vendor” includes all personnel involved in the contract, including any of your employees, suppliers, and subcontractors. You should have a process in place to make sure that you consistently demonstrate compliance with your customer’s information security requirements. Any instances of noncompliance will be expected to be promptly remediated.