When it comes to encryption and compliance, there are about as many different interpretations and opinions as there are people offering them.
Although there are no known laws that explicitly require organizations to use encryption, I've seen many security vendors hawking their encryption products with this claim. There are, however, many different data protection laws that do direct organizations to use encryption based on the results of risk analysis.
Encryption supports the confidentiality and integrity requirements that are part of many laws. This is a subtle but important difference about which business leaders -- as well as IT professionals who have to support such technology -- should be aware.
It is also important to know that encryption is a significant factor within most -- but not all -- U.S. data breach response laws. In many states, if the personally identifiable information, or PII, stored on compromised computers or storage devices is encrypted, then organizations do not have to notify the individuals connected to the PII. This type of "safe harbor" is a great motivator for business leaders to encrypt PII.
To begin, you have to know when, where and for which files you'll have to use encryption, and that depends on the results of your own risk analysis for PII and other confidential data in your organization. Encryption provides just one of many layers of protection that ensure the confidentiality and integrity of PII.
For example, many healthcare providers have determined that they must encrypt all email messages to meet HIPAA requirements because of the risk they assume for emailing personal information. And lots of organizations have chosen PGP to encrypt such messages, citing that it does not require email recipients to purchase or download anything to be able to decrypt the messages. However, those who want specialized email encryption tools can choose from a range of available products.
A nu
To continue reading for free, register below or login
To read more you must become a member of SearchWinIT.com
mber of healthcare organizations have even realized unexpected benefits of using encryption. It has allowed many of them to expand how they use email to communicate information to patients.
Implementing effective encryption
Establishing an effective information security and privacy policy that is in compliance with your organization's applicable laws, regulations and industry standards requires cooperation and collaboration at three levels: organizational, legal and technical. Don't try to make any decisions about encrypting data without talking with the departments within your organization that are responsible for information security and privacy as well as those that oversee compliance and legal areas.
When discussing encryption with these departments, you will need to accurately describe the risks to data based on the results of your risk analysis. Then you'll have to clearly communicate to them what realistic options exist to protect sensitive data and PII. Encryption will be one of these options. In terms they can understand, explain what is possible as well as what is not feasible among encryption choices.
Make sure you describe how encryption can be used within your organization to protect sensitive data while it is being collected, stored, used, processed and transferred between servers and sites.
Here are some guidelines that tell you when encryption will typically be necessary to mitigate identified risks within a Windows environment:
Directory service access
Object access
Policy changes
Privilege use activities
Process tracking
System events related to a computer restarting or being shut down
Key for Windows is key management
After you have made the decision to use encryption, you need to address key management. When auditors and regulators learn that you are using encryption, they will look for how you've addressed the following issues with documented procedures and supporting technologies in place:
Here's something else for Windows administrators to keep in mind: As long as you use only one method or vendor product to encrypt data, the keys for decryption will be relatively easy to manage. However, as more encryption methods and products are used -- each with their own key management system -- key management will become much more complex and difficult.
The U.S. National Institute of Standards and Technology, or NIST, has a great resource, called Recommendation for Key Management. It gives sounds advice and describes critical issues and provides details to incorporate into your organization's documentation and procedures.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
