...
This chapter provides a top level overview of cryptography and addresses topics from policy on the use of cryptography, key management, symmetric key cryptography to , public key cryptography, various encryption standards and also , as well as various cryptographic libraries. Two sections focus on the two key areas addressed in the ISO document: policy on the use of cryptography and key management.
Overview
In the context of information security, cryptography covers a broad range of topics for securing data. Encryption is the conversion of “cleartext” into “ciphertext”. The reverse process, “ciphertext” to “cleartext”, is referred to as decryption. Applied properly, cryptographic controls provide considerable protection for the confidentiality of data and, when coupled with other related methods, extend integrity and authenticity safeguards for data, both at rest and in transit.
...
Anchor | ||||
---|---|---|---|---|
|
Cryptographic Controls
...
Panel | ||
---|---|---|
| ||
Objective: Describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA). |
...
Data States and Encryption Methods
Data States | Examples | Relevant Encryption Methods |
---|---|---|
Data In Use/Processing | Credit card use, W-2 processing, research data | Data is decrypted to be used; data masking of particularly sensitive data should be considered. |
Data At Rest | Fileserver storage, desktop files, external media | Full Disk Encryption, Container Based Encryption |
Data In Motion | SFTP, HTTPS, SMTPS | TLS (SSL is deprecated); IPsec |
It is important for an organization to categorize information and conduct risk assessments to understand which data requires the most protection. Not all files need to be encrypted. Specific types of data require higher degrees of security like HIPAA, FERPA, and PCI data. Understanding which members of your organization use this sensitive data will maximize the efficiency and effectiveness of implementing an encryption policy. Some organizations require all mobile devices use encryption, while other organizations require only select members use encryption. Your organization must determine the scope and scale of the encryption policy to ensure meeting security requirements.
...
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-111 | DS5.8 | Req 3 | PR.DS-1: Data-at-rest is protected | 45 CFR 164.312(e)(1) |
Top of page
...
Questions or comments? Contact us.
...