Cryptography and data protection prompts

Create a cryptography policy for [organization] covering [use cases]. Include:
- Approved encryption algorithms (AES-256, RSA-2048/4096, ECDSA, etc.)
- Deprecated/forbidden algorithms (DES, MD5, SHA-1, RC4)
- Key lengths and rotation requirements by use case
- Encryption use cases (data at rest, data in transit, backups, removable media)
- Key management responsibilities
- Cryptographic library and tool standards
- Random number generation requirements
- Quantum-resistant cryptography roadmap
- Export control and regulatory compliance
- Exception process and risk acceptance
- Compliance mapping (ISO 27001 A.10.1, GDPR Art. 32, SOC 2 CC6.7, NIST SP 800-175)

Output as policy document and approved algorithms matrix.

Design cryptographic control selection framework for [data types/systems]. For each asset category, specify:
- Data classification level
- Encryption-at-rest requirements (algorithm, key type, key management)
- Encryption-in-transit requirements (TLS version, certificate requirements)
- Hashing requirements (for integrity, passwords, digital signatures)
- Key storage mechanism (HSM, KMS, software vault)
- Performance and compatibility considerations
- Regulatory requirements (GDPR, HIPAA, PCI DSS)
- Cost implications
- Implementation priority

Include decision matrix and technical specifications.

Design a key management system for [organization] using [AWS KMS/Azure Key Vault/GCP Cloud KMS/HashiCorp Vault/on-premises HSM]. Include:
- Key hierarchy (master key, data encryption keys, key encryption keys)
- Key generation and entropy sources
- Key storage (HSM, software, cloud KMS)
- Access controls and authentication (RBAC, MFA for key operations)
- Key rotation schedule (automated/manual, frequency)
- Key versioning and history
- Key backup and disaster recovery
- Key destruction and sanitization
- Audit logging of all key operations
- Integration with applications and infrastructure
- Compliance requirements (FIPS 140-2/3, PCI DSS, GDPR)

Map to ISO 27001 A.8.24, SOC 2 CC6.7, NIST SP 800-57.

Create key lifecycle procedures covering all phases for [environment]. Address:

Generation:
- Approved key generation methods
- Randomness requirements (CSPRNG)
- Key strength by purpose

Distribution:
- Secure key transport mechanisms
- Initial key loading procedures
- Key wrapping and encryption

Storage:
- HSM vs. software storage criteria
- Access controls and segregation
- Backup and redundancy

Usage:
- Approved cryptographic operations
- Usage monitoring and anomaly detection
- Performance considerations

Rotation:
- Rotation triggers (time, usage, compromise)
- Automated vs. manual rotation
- Zero-downtime rotation procedures

Destruction:
- Secure deletion methods (cryptographic erasure, physical destruction)
- Certificate revocation
- Audit trail retention

Document for ISO 27001 A.8.24, SOC 2 CC6.7.

Design Public Key Infrastructure (PKI) and certificate management for [organization]. Include:
- Certificate Authority strategy (internal CA, public CA, hybrid)
- Certificate types and use cases (TLS/SSL, code signing, email, client auth)
- Certificate lifecycle (request, issuance, renewal, revocation)
- Automated certificate management (ACME protocol, Let's Encrypt, ACM)
- Certificate inventory and expiration monitoring
- Revocation checking (CRL, OCSP)
- Private key protection and storage
- Wildcard vs. specific certificate policy
- Certificate pinning considerations
- Disaster recovery (CA backup, escrow)
- Compliance requirements (CA/Browser Forum, PCI DSS, ISO 27001 A.10.1)

Include architecture diagram and runbooks.

Create database encryption architecture for [database types]. Include:

Transparent Data Encryption (TDE):
- TDE implementation ([SQL Server/Oracle/MySQL/PostgreSQL])
- Key management integration
- Performance impact mitigation

Column-level encryption:
- Sensitive field identification
- Application-layer vs. database-layer encryption
- Key per tenant/customer considerations

Backup encryption:
- Backup encryption methods
- Key management for backup keys
- Restore procedures and key availability

Always Encrypted / Client-side encryption:
- Use cases and limitations
- Key distribution to applications
- Search and query implications

Map to GDPR Art. 32, PCI DSS Req. 3, ISO 27001 A.8.24, SOC 2 CC6.7.

Design encryption for file and object storage in [cloud/on-premises]. Include:

Cloud object storage (S3/Blob/GCS):
- Server-side encryption (SSE-S3, SSE-KMS, SSE-C for AWS)
- Client-side encryption before upload
- Bucket policies to enforce encryption
- Key management (customer-managed vs. provider-managed)
- Access controls and least privilege

File servers:
- Full disk encryption (BitLocker, LUKS, FileVault)
- File-level encryption for sensitive data
- Network share encryption (SMB 3.0 encryption)
- Encrypted backup integration

Removable media:
- USB encryption requirements
- Authorized device management
- Data loss prevention integration

Align with ISO 27001 A.8.24, GDPR Art. 32, SOC 2 CC6.7.

Implement application-layer encryption for [application type]. Include:
- Field-level encryption for PII/PCI data
- Encryption library selection ([language]-specific, vetted libraries)
- Secure key injection (environment variables, secrets manager)
- Envelope encryption pattern (data key + key encryption key)
- Initialization vector (IV) generation and handling
- Authenticated encryption (AES-GCM, ChaCha20-Poly1305)
- Key rotation without data re-encryption (versioned DEKs)
- Search on encrypted data (deterministic encryption, tokenization, format-preserving encryption)
- Performance optimization (caching, async encryption)
- Error handling (key unavailable, decryption failure)

Map to ISO 27001 A.14.1.2, SOC 2 CC6.7, OWASP cryptographic guidance.

Create a data classification framework for [organization]. Define:

Classification levels (e.g., Public, Internal, Confidential, Restricted):
- Definition and examples for each level
- Regulatory mapping (GDPR special categories, HIPAA PHI, PCI DSS cardholder data)
- Handling requirements (encryption, access controls, retention, disposal)
- Labeling and marking requirements
- Transmission restrictions (encrypted channels, approved methods)
- Storage requirements (approved locations, encryption)

Implementation:
- Data discovery and classification tools ([Microsoft Purview/Varonis/BigID])
- User training and responsibilities
- Automated tagging and DLP integration
- Declassification and downgrade procedures
- Audit and compliance validation

Map to ISO 27001 A.8.2, GDPR Art. 5, SOC 2 CC6.7.

Design data minimization and retention program for [organization]. Include:
- Data inventory and mapping (what data, why collected, where stored)
- Lawful basis and purpose limitation (GDPR Art. 5, 6)
- Collection reduction (only necessary data)
- Retention schedules by data type (legal, regulatory, business need)
- Automated deletion/anonymization workflows
- Legal hold procedures
- Backup retention alignment
- Data subject rights implementation (erasure, portability)
- Documentation for compliance (data protection impact assessments)
- Regular review and update process

Align with GDPR Art. 5, 17, 25, ISO 27001 A.8.10, SOC 2 CC6.5.

Create data masking and anonymization strategy for [use cases]. Include:

Static data masking:
- Irreversible masking for non-production environments
- Referential integrity preservation
- Techniques (substitution, shuffling, number variance)
- Testing and validation

Dynamic data masking:
- Real-time masking based on user role
- Application integration
- Performance considerations

Tokenization:
- Token vault architecture
- Format-preserving tokenization
- Detokenization controls

Pseudonymization:
- GDPR Art. 4(5) compliance
- Key management for pseudonyms
- Re-identification prevention

Synthetic data generation:
- Maintaining statistical properties
- Use cases (ML training, testing)

Map to GDPR Art. 25, 32, ISO 27001 A.8.11, SOC 2 CC6.7.

Create data sanitization procedures for [asset types]. Address:

Electronic media:
- Hard drives: overwriting (DoD 5220.22-M, NIST SP 800-88), degaussing, physical destruction
- SSDs and flash: cryptographic erasure, physical destruction (overwriting unreliable)
- Cloud storage: cryptographic erasure via key deletion, provider deletion verification
- Backup tapes: degaussing or physical destruction
- Mobile devices: factory reset + encryption key deletion

Paper documents:
- Shredding requirements (cross-cut, particle size)
- Secure disposal vendors and certifications

Disposal verification:
- Certificate of destruction
- Audit trail and compliance documentation
- Asset tracking integration

Decommissioning workflow:
- Data backup if needed (legal hold)
- Sanitization method selection
- Execution and verification
- Asset disposal or repurposing

Map to ISO 27001 A.8.10, GDPR Art. 17, NIST SP 800-88, SOC 2 CC6.5.

Design technical implementation for GDPR right to erasure (Art. 17). Include:
- Data subject request intake and verification
- Data location mapping (all systems, backups, logs, third parties)
- Automated erasure workflows
- Backup handling (delete from live, document exemption for backups with short retention)
- Third-party notification and erasure coordination
- Exceptions (legal obligations, public interest, vital interests)
- Verification and confirmation process
- Timeline compliance (1 month response)
- Documentation for supervisory authority
- Technical challenges and solutions (distributed systems, blockchain, archives)

Include request form, workflow diagram, and response templates.

Create TLS/SSL configuration standards for [web servers/load balancers/APIs]. Include:
- Minimum TLS version (TLS 1.2, prefer TLS 1.3)
- Approved cipher suites (forward secrecy, AEAD ciphers)
- Disabled protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1)
- Certificate requirements (key length, signature algorithm, CA)
- HSTS (HTTP Strict Transport Security) configuration
- OCSP stapling for performance
- Certificate pinning considerations
- Configuration testing and validation (SSL Labs, testssl.sh)
- Monitoring for weak configurations
- Documentation for audit (ISO 27001 A.13.2.3, A.10.1, SOC 2 CC6.7)

Include configuration examples for [nginx/Apache/IIS/ALB/HAProxy].

Design email security using encryption and signing for [organization]. Include:

Transport encryption:
- TLS enforcement for inbound/outbound email (SMTP STARTTLS)
- MTA-STS (Mail Transfer Agent Strict Transport Security)
- DANE (DNS-based Authentication of Named Entities)

End-to-end encryption:
- S/MIME certificate distribution and management
- PGP/GPG key management
- Automatic encryption for sensitive data patterns
- Key escrow considerations (compliance vs. privacy)

Email signing:
- DKIM (DomainKeys Identified Mail) configuration
- SPF (Sender Policy Framework) records
- DMARC (Domain-based Message Authentication) policy

User experience:
- Transparent encryption where possible
- External recipient handling (secure portal, one-time encryption)
- Training and support

Map to ISO 27001 A.13.2.3, GDPR Art. 32, SOC 2 CC6.7.

Create secure remote access architecture using [VPN type/Zero Trust]. Include:
- VPN protocol selection (IPsec, OpenVPN, WireGuard)
- Authentication requirements (certificate-based, MFA)
- Encryption standards (AES-256, strong key exchange)
- Split-tunnel vs. full-tunnel decision
- Access controls and network segmentation
- Logging and monitoring
- Performance and scalability
- Client device requirements and posture checking
- Zero Trust alternative (identity-aware proxy, per-application access)
- Migration plan from legacy VPN

Align with ISO 27001 A.13.2.3, A.9.1.2, SOC 2 CC6.6.

Design cryptographic validation and testing program for [organization]. Include:
- Automated configuration scanning (SSL/TLS, SSH, database encryption)
- Penetration testing of cryptographic controls
- Code review for crypto implementation (common mistakes, library misuse)
- Entropy and randomness testing
- Side-channel attack resistance (timing, power analysis)
- FIPS 140-2/3 validation requirements
- Regular crypto audit schedule (annual)
- Vulnerability assessment for cryptographic weaknesses
- Integration with CI/CD (fail builds on weak crypto)
- Documentation of test results for compliance

Map to ISO 27001 A.14.2.8, SOC 2 CC7.1.

Create encryption compliance evidence package for [ISO 27001/SOC 2/GDPR/HIPAA] audit. Include:
- Cryptography policy and standards
- Key management procedures and logs
- Encryption implementation inventory (all systems)
- Configuration exports and validation reports
- Key rotation logs and schedules
- Access controls for keys and encrypted data
- Testing and validation results
- Training records for personnel handling keys
- Incident reports related to cryptographic controls
- Third-party attestations (FIPS, Common Criteria)
- Risk assessment for cryptographic controls

Create evidence collection checklist mapped to control requirements.

Create post-quantum cryptography (PQC) transition plan for [organization]. Include:
- Cryptographic inventory (all systems using public key crypto)
- Quantum threat timeline and risk assessment
- NIST PQC algorithm evaluation (finalized standards)
- Hybrid approach (classical + PQC during transition)
- Certificate infrastructure migration plan
- Application and protocol updates (TLS 1.3 with PQC)
- Timeline and milestones (crypto-agility now, PQC migration by [date])
- Cost and effort estimation
- Testing and validation
- Coordination with vendors and partners

Reference NIST SP 800-208, CNSA 2.0 timeline.