Re: Secure Data Transfer Policy

[simonis () myself com]

It seems to me you have a prerequisite policy to write.  Your data transfer policy won't likely say that all data needs 
to be transfered securely, so you need to classify what type of data is in scope.  To do so reasonably, you probably 
should start with a data classification policy which might define who is to classify data and what types of data are 
considered public/confidential/highly confidental/whatever/.

Then, your data tranfer policy would be easily written such that, say, confidential data must be encrypted when sent to 
external parties using a secure channel (e.g., sFTP) while highly confidential data must be entity encrypted such that 
only the intended recipient can read (e.g., PGP or S/MIME).  


-ds

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------