Use of encryption
auf einem lokalen Rechner Kryptographie (Verschlüsselung) zu nutzen, außer in den Fällen, die in der Richtlinie zur Klassifizierung von Informationen
(Use cryptography (encryption) on a local machine, except in the cases specified in the Information Classification Policy)This seems to be an old control to ensure availability. In my view, any organization should make it mandatory to use the corporate encryption solution – and central key management.
Assign topic to the user
First it is important to note that this impediment is not absolute. If your organization's Information Classification Policy defines the use of encryption with central key management as a general solution for all information classification levels, than the IT departmen t can implement it as you described.
The use of encryption solutions must be considered wisely because it can have some potentially restrictions or negative consequences, e.g., in some countries the usage of encryption is defined by law; also if an employee leaves the company and all his data is locked on a encrypted disk, then the company cannot access this data.
This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
Comment as guest or Sign in
Sep 08, 2019