One of the primary goals of this Security Program is to protect the confidentiality, integrity, and availability of information assets, including data.
Whether it’s data on backup media or data in transit over public networks, cryptography controls and the resulting encryption of data help ensure that the confidentiality of the data is preserved.
Sensitive data that is transmitted or stored in plain text (i.e., unencrypted) puts organizations at risk of compromising the confidentiality of data that could lead to a security incident or data breach. Encryption Data and Cryptography controls are both the focus of pitfall #60 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Cryptography keys should be established and managed in accordance with documented policy requirements for key generation, distribution, storage, access, and deactivation. Cryptographic controls should address the use of encryption for the protection of sensitive information transported by mobile or removable media, devices, or across communication lines.
Supporting cryptographic procedures should be implemented to address the required level of protection, such as the type and strength of the encryption algorithm required. These procedures should include the specifications for the effective implementation of encryption whenever it is needed throughout your organization. Public key certificates should be required to be issued under an organization-defined certificate policy or public key certificates should be obtained from an approved service provider.
Encryption of data at rest and data in transit should be implemented as determined by your organization’s data classification schema and risk assessment. All sensitive, non-public, and confidential data should be encrypted while in transit and at rest. Your data backups should be encrypted whether they are maintained by your organization or a third party.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.