Creating an encryption strategy requires significant review and effort. It’s best to approach this as a major project, involving key members of operations, management, and IT. Start by bringing together key data stakeholders and explain the mission. As a group you must identify applicable regulations, laws, guidelines, and external influences that will have an impact on your purchasing and implementation decisions. From there, you can move on to identifying high-risk areas, such as laptops, wireless networks, and data backups.
Encryption is useless if an attacker can access confidential data directly and skip the burden of having to defeat any cryptography. So, a successful strategy defines strong access-control techniques, using adequate combinations of file permissions, passwords, and two-factor authentication. Access controls must be audited on a regular basis to ensure their validity.
Research various encryption solutions, read technical reviews, and contact the customers of vendors that interest you. Nothing beats a try-before-you-buy approach in this arena because what works well for one company doesn’t necessarily work for another. Ultimately, you must select one or more encryption solutions that best fit your organization.
Prior to deployment, develop a written policy endorsed by management and communicate both policy and operational instructions to end-users, including business partners and third parties that handle sensitive data. If they can’t meet your company’s policies and demonstrate as much, they don’t get your data. Encryption responsibility should be fixed and have consequences for noncompliance.
Consider implementing a tool to monitor and detect the leak or theft of confidential information. The policy should always include a statement indicating that any lost or stolen data should immediately be reported to the key stakeholders for evaluation. It should include specific steps to take when a data breach is detected. Exactly who should be contacted, how quickly? When will customers be notified, who decides, and how? Will customers be given free credit reports? All of these questions should be answered ahead of time.
Although only loosely related to encryption, a proactive data destruction policy should be enforced as well. Many of this year’s embarrassing data-theft stories involved data that should have been destroyed long ago. If the data isn’t needed, get rid of it -- and the risk that goes with it. A good policy indicates how long data should be kept, from the instant it is created or obtained, as well as how it should be secured and destroyed.
Unfortunately, no single encryption product protects all data areas. Some vendors offer nearly holistic solutions, but eventually an IT project manager will have to cobble together multiple solutions.
Detailed technical standards and guidance is available at the National Institute of Standards and Technologies (NIST) Cryptographic Toolkit Web page. NIST publications tend to be drab and overdone with technical jargon, but most government agencies, contractors, and vendors must follow its recommendations. And because its recommendations are thoroughly tested and vetted with expert public review and input, nongovernment agencies would do well to follow its advice.