|
Unravel the ins and outs of how your organization should deploy encryption.
For many years, encryption was something companies could choose to use if they wanted an extra degree of security for their data. However, the days of optional encryption are gone forever. Today, companies in a variety of industries are subject to regulations that mandate encryption and other security measures, and face stiff penalties for failure to adequately protect their data. Even if a company is not subject to these types of regulations, many states have laws requiring companies to disclose security breaches in which unencrypted customer data has been compromised.
Consequently, it is no longer a question of whether a company should use encryption, but rather how a company should encrypt data. The first step in planning an encryption strategy is to understand the primary types of available encryption solutions: storage, network encryption and application-level. While each offers benefits, there are also drawbacks to take into account.
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] compliance
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Details
PCI is far more prescriptive than HIPAA when ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
it comes to encryption.
by Marcia Savage
What do regulations such as HIPAA actually require in terms of encryption? The HIPAA Security Rule lists encryption as an "addressable" technical safeguard, which means it's not mandatory but must be addressed. "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate," the rule reads.
Like many regulations, HIPAA is intended as guidance rather than mandates, says Richard Mackey, vice president of consulting at SystemExperts. Ultimately, a risk analysis is required to determine the specific security measures a business should implement. "You're supposed to conduct a risk analysis to figure out the real risks, the likelihood of an attack, and what methods would be effective in protecting against those attacks," he says.
Far more prescriptive is the Payment Card Industry Data Security Standard, which provides specific direction on encryption. Requirement 3.4 lists four ways organizations can make the Primary Account Number (PAN) unreadable wherever it is stored: strong, one-way hash functions; truncation; index tokens and pads; and strong cryptography with associated key management processes.
Then, there are the state laws (at least 44) requiring notification of breaches involving personal information, many of which make exemptions for encrypted data.
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
|
 |
|
