"I’ve heard that data
encryption is a strategy to secure data at rest. How do I begin to evaluate it for my
site?"
Understanding the reasons for pursuing an encryption strategy is important
from the outset. Failure to capture the full set of drivers can result in an
inadequate and/or unusable solution. Follow these steps to begin your
evaluation process.
-
Identify all relevant regulatory obligations that impact data security and
data privacy (e.g., Sarbanes-Oxley, HIPAA, Payment Card Industry Data
Security Standard, EU Data Privacy, CA SB 1836/AB 1950,
etc.
-
Identify all relevant legal
obligations that impact data security (e.g., court orders, contractual
obligations, due care, trade secrets, competitively sensitive information,
intellectual property, etc.)
-
Identify all relevant executive management concerns (e.g., public image,
thwarting and detecting criminal activity, protecting intellectual
property) and trace them back to quantifiable obligations and
requirements.
-
Review organizational policies associated with data protection and data
security (e.g., retention, destruction, privacy/confidentiality,
etc.)
-
Review organizational IS/IT strategic plans to identify desired future
states with defined data protection and data security
dependencies
-
Review recent IS audit results/findings to identify data
privacy/confidentiality deficiencies
-
Determine whether compliance or data security requirements serve as the
primary need for confidentiality measures
-
Determine the role of monitoring and reporting (auditing)
For more information on storage and security, visit the SNIA Storage Security Industry Forum website.
