Versions Compared

Old Version 47

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 48

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This chapter provides a top level overview of cryptography and addresses topics from policy on the use of cryptography, key management, symmetric key cryptography to , public key cryptography, various encryption standards and also , as well as various cryptographic libraries. Two sections focus on the two key areas addressed in the ISO document: policy on the use of cryptography and key management.

Overview

In the context of information security, cryptography covers a broad range of topics for securing data. Encryption is the conversion of “cleartext” into “ciphertext”. The reverse process, “ciphertext” to “cleartext”, is referred to as decryption. Applied properly, cryptographic controls provide considerable protection for the confidentiality of data and, when coupled with other related methods, extend integrity and authenticity safeguards for data, both at rest and in transit.    

...

Anchor
Cryptographic
Cryptographic

Cryptographic Controls

...

Panel
bgColor#FFFFCE

Objective: Describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA).

...

Data States and Encryption Methods 
Data StatesExamplesRelevant Encryption Methods
Data In Use/ProcessingCredit card use, W-2 processing, research dataData is decrypted to be used; data masking of particularly sensitive data should be considered.
Data At RestFileserver storage, desktop files, external mediaFull Disk Encryption, Container Based Encryption
Data In MotionSFTP, HTTPS, SMTPSTLS (SSL is deprecated); IPsec

It is important for an organization to categorize information and conduct risk assessments to understand which data requires the most protection. Not all files need to be encrypted. Specific types of data require higher degrees of security like HIPAA, FERPA, and PCI data. Understanding which members of your organization use this sensitive data will maximize the efficiency and effectiveness of implementing an encryption policy. Some organizations require all mobile devices use encryption, while other organizations require only select members use encryption. Your organization must determine the scope and scale of the encryption policy to ensure meeting security requirements.

...

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 10: Cryptography
ISO/IEC 9796-2:2010
ISO/IEC 9797-1:2011
ISO/IEC 9798-2:2008
ISO/IEC 11770-1:2010
ISO/IEC 14888-1:2008
ISO/IEC 18033-1:2005

800-111
800-56A
FIPS 180-4

DS5.8
APO11.02
APO11.05
BAI03.03
DSS01.01
DSS01.02
DSS01.04
DSS01.05
DSS05.01
DSS05.02
DSS05.03
DSS05.06
DSS06.05

Req 3
Req 4

PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity

45 CFR 164.312(e)(1)
45 CFR 164.312(a)(1)

Top of page

...

(question) Questions or comments? (info) Contact us.

...