Guest user Created: Sep 08, 2019 Last commented: Sep 08, 2019

Use of encryption

In the past years, encryption has become a key control for protection of integrity and confidentiality of data. Many organizations use encryption technology such as disk encryption provided by the OS with managed keys. I am surprised to see this statement as not allowed per IT Security Policy:

auf einem lokalen Rechner Kryptographie (Verschlüsselung) zu nutzen, außer in den Fällen, die in der Richtlinie zur Klassifizierung von Informationen

(Use cryptography (encryption) on a local machine, except in the cases specified in the Information Classification Policy)

This seems to be an old control to ensure availability. In my view, any organization should make it mandatory to use the corporate encryption solution – and central key management.

Tags: encryption, IT Security Policy

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Sep 08, 2019

First it is important to note that this impediment is not absolute. If your organization's Information Classification Policy defines the use of encryption with central key management as a general solution for all information classification levels, than the IT departmen t can implement it as you described.

The use of encryption solutions must be considered wisely because it can have some potentially restrictions or negative consequences, e.g., in some countries the usage of encryption is defined by law; also if an employee leaves the company and all his data is locked on a encrypted disk, then the company cannot access this data.

This article will provide you further explanation about information classification:
- Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Sep 08, 2019

Expert Advice Community