Tip

Using encryption to meet compliance in a Windows environment

When it comes to encryption and compliance, there are about as many different interpretations and opinions as there are people offering them.

Although there are no known laws that explicitly require organizations to use encryption, I've seen many security vendors hawking their encryption products with this claim. There are, however, many different data protection laws that do direct organizations to use encryption based on the results of risk analysis.

Encryption supports the confidentiality and integrity requirements that are part of many laws. This is a subtle but important difference about which business leaders -- as well as IT professionals who have to support such technology -- should be aware.

    Requires Free Membership to View

It is also important to know that encryption is a significant factor within most -- but not all -- U.S. data breach response laws. In many states, if the personally identifiable information, or PII, stored on compromised computers or storage devices is encrypted, then organizations do not have to notify the individuals connected to the PII. This type of "safe harbor" is a great motivator for business leaders to encrypt PII.

To begin, you have to know when, where and for which files you'll have to use encryption, and that depends on the results of your own risk analysis for PII and other confidential data in your organization. Encryption provides just one of many layers of protection that ensure the confidentiality and integrity of PII.

For example, many healthcare providers have determined that they must encrypt all email messages to meet HIPAA requirements because of the risk they assume for emailing personal information. And lots of organizations have chosen PGP to encrypt such messages, citing that it does not require email recipients to purchase or download anything to be able to decrypt the messages. However, those who want specialized email encryption tools can choose from a range of available products.

A number of healthcare organizations have even realized unexpected benefits of using encryption. It has allowed many of them to expand how they use email to communicate information to patients.

Implementing effective encryption

Establishing an effective information security and privacy policy that is in compliance with your organization's applicable laws, regulations and industry standards requires cooperation and collaboration at three levels: organizational, legal and technical. Don't try to make any decisions about encrypting data without talking with the departments within your organization that are responsible for information security and privacy as well as those that oversee compliance and legal areas.

When discussing encryption with these departments, you will need to accurately describe the risks to data based on the results of your risk analysis. Then you'll have to clearly communicate to them what realistic options exist to protect sensitive data and PII. Encryption will be one of these options. In terms they can understand, explain what is possible as well as what is not feasible among encryption choices.

Make sure you describe how encryption can be used within your organization to protect sensitive data while it is being collected, stored, used, processed and transferred between servers and sites.

Here are some guidelines that tell you when encryption will typically be necessary to mitigate identified risks within a Windows environment:

  • Encrypt sensitive data and PII in storage, specifically on mobile storage devices.

  • Encrypt sensitive data and PII when moving data through networks.

  • Use public key encryption, known as PKE, when collecting PII from -- or transferring PII between -- sites and servers on public networks, such as the Internet.

  • Encrypt log files that need confidentiality or integrity preserved, which you've determined through your risk analysis assessments. Some possibilities within a Windows server include:

    • Account logon and logoff events
    • Account management events, such as:
      • Creating a user account
      • Adding a user to a group
      • Renaming a user account
      • Changing a password for a user account
    • Directory service access
    • Object access
    • Policy changes
    • Privilege use activities
    • Process tracking
    • System events related to a computer restarting or being shut down

Key for Windows is key management

After you have made the decision to use encryption, you need to address key management. When auditors and regulators learn that you are using encryption, they will look for how you've addressed the following issues with documented procedures and supporting technologies in place:

  • User registration processes
  • System and user initialization
  • Keying material installation
  • Tests prior to operational use for keying material
  • Key establishment
  • Key registration
  • Operational use
  • Storing and archiving keying material
  • Key update
  • Key recovery
  • Key de-registration and destruction
  • Key revocation

Here's something else for Windows administrators to keep in mind: As long as you use only one method or vendor product to encrypt data, the keys for decryption will be relatively easy to manage. However, as more encryption methods and products are used -- each with their own key management system -- key management will become much more complex and difficult.

The U.S. National Institute of Standards and Technology, or NIST, has a great resource, called Recommendation for Key Management. It gives sounds advice and describes critical issues and provides details to incorporate into your organization's documentation and procedures.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

This was first published in April 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.