Please note that these guidelines are not final and still in development

Security Development Lifecycle

Define and Use Cryptography Standards define-and-use-cryptography-standards

Practice #07

Define and Use Cryptography Standards

With the rise of mobile and cloud computing, it’s critically important to ensure all data, including security-sensitive information and management and control data, is protected from unintended disclosure or alteration when it’s being transmitted or stored.

Encryption is typically used to achieve this. Making an incorrect choice in the use of any aspect of cryptography can be catastrophic, and it’s best to develop clear encryption standards that provide specifics on every element of the encryption implementation. This should be left to experts. A good general rule is to only use industry-vetted encryption libraries and ensure they’re implemented in a way that allows them to be easily replaced if needed.

See Section 4.7 of the UCOP Secure Software Guidelines, which covers encryption standards for Web Applications.

https://security.ucop.edu/policies/secure-software-development.html