The encryption of data, both at rest and in transit, including consideration of API security should be included in the security policy. In particular, encryption and decryption of private keys should utilise encryption protocols or use alternative algorithms that have broad acceptance with cyber security professionals. Critical cryptographic functions such as encryption, decryption, generation of private keys, and the use of digital signatures should only be performed within cryptographic modules complying with the highest, and ideally internationally recognised, applicable security standards.