Encryption converts information into an unreadable format to anyone except the one(s) holding the key. To change the information back to its original, readable form, the reader needs to have the exact key to unlock the encryption. Encryption is important because it allows you to protect sensitive data. Home users use encryption to protect themselves against identity theft. Companies and government entities use it to protect sensitive documents and corporate secrets.
- Lost and stolen laptops, tablets, USBs, and smart phones represent a great source of data compromise. If company data must be stored on these types of devices, it needs to be encrypted to protect the company from unauthorized parties retrieving the information. To recover from a data breach is more costly than replacing a physical device. Implementing systemic full encryption with passwords adhering to NIST complexity standards should prevent unauthorized people from retrieving the data or extracting domain-based credentials and user account profiles which may allow access to organizational network resources should the device be lost or stolen. Additional security policies can be set on the server to remotely wipe mobile devices should a loss or theft occur.
- A security policy needs to include data classification, rick assessment, controls to protect data, monitoring and testing of the controls, and a process to determine new vulnerabilities. These safeguards are technical, physical, and administrative all designed to protect the company’s data from within the company. Physical policies should be implemented as well to limit physical access to sensitive information and equipment. Physical activity logging and server activity logging and monitoring will help evaluate policy compliance and identify policy breaches. Other policy practices which should help reduce the risk of snooping employees include segregation of duties, least privilege, and log monitoring.
- Sensitive data should be performed only over a trusted connection with encryption. To keep the company’s data secured from an outsider, precautions such as firewalls, and IDS, IPS, and a vulnerability scanner should be implemented for data security. Strong cryptography and security protocols like IPsec tunnel and VPN should be used to protect the data during transmission over outside networks. The transfer of personal information from a third party to the company, usually through a web site, should be completed through our secure servers which should use a high-level encryption. Any electronic communications containing sensitive information should be encrypted any time it is sent outside the company. Particularly sensitive communications should be encrypted at all times, even when sent internally. To avoid an accident, the email server can be sent to only use encrypted emails.