Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Cryptographic Controls (ISO 10.1)
Overview
Applied properly, cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information. An institution should develop policies on the use of encryption, including proper key management. Disk Encryption is one way to protect data at rest.Data in transit can be protected from alteration and unauthorized viewing using SSL certificates issued through a Certificate Authority that has implemented a Public Key Infrastructure.
Encryption based transport protocols such as SSL and IPSec can be used for securing virtual private networks. Encryption is also used in DNSSEC to protect the integrity of DNS and DNS handshake. SSL and TLS certificates are used to protect email in transit.
#Top of page
Standards
27002:2013 Information Security Management |
800-111: Guide to Storage Encryption Technologies for End User Devices |
DS5.8 |
Req 3 |
|
45 CFR 164.312(e)(1) |
In addition to the standards listed here, please check out this cross-referenced matrix (developed by Symantec), which outlines IT Controls for security and privacy concerns related to regulatory compliance in the workplace, including ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, PCI DSS, GLBA, NERC standards CIP, and PIPEDA (Canada).
#Top of page
Getting Started
Introductory material for the Topic. (Optional section)
#Top of page
Cryptographic Controls (ISO 10.1)
Objective: To describe considerations for an encryption policy in order to protect information confidentiality, integrity, and authenticity.
Certain data, by their nature, require particular confidentiality protection that can be provided by encryption techniques. Additionally, there may be contractual or other legal penalties for failure to maintain proper confidentiality - when Social Security Numbers are involved, for example. Parties who may acquire unauthorized access to the data but who do not have access to the encryption key - the "password" that encrypted the data - cannot feasibly decipher the data.
Data exist in one of three states: at rest; in transit; or undergoing processing. Data are particularly vulnerable to unauthorized access when in transit or at rest. Portable computers (holding data at rest) are a common target for physical theft, and data in transit over a network may be intercepted. Unauthorized access may also occur while data are being processed, but here the security system may rely on the processing application to control, and report on, such access attempts. When used appropriately, encryption is a powerful tool to prevent unauthorized access to data at rest or in transit.
The following campus case studies are included in Encryption 101, a basic guide to encryption concepts.
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech
Full disk encryption (FDE) can be used to mitigate the risk of data exposure, but the security is only in place when the computer is turned off. FDE may be most effective when used on laptops that, when stolen or lost, are often powered off. See Introduction to Full Disk Encryption (FDE) for an overview of FDE.
#Top of page
Resources
Campus Case Studies On This Page
Campus Case Study: Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker - McIntire School of Commerce, UVA
Campus Case Study: Whole Disk Encryption Evaluation and Deployment - Baylor University
Campus Case Study: Developing a Certification Authority for PKI at Virginia Tech - Virginia Tech
EDUCAUSE Resources
- Encryption 101
- Encryption, EDUCAUSE Resource page
- Introduction to Full Disk Encryption (FDE)
Initiatives, Collaborations, & Other Resources
- Link 1
- Link 2
- Link 3
#Top of page
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).