BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Why Organizations Fail to Encrypt

From: security curmudgeon <jericho () attrition org>
Date: Mon, 24 Dec 2012 13:04:19 -0600 (CST)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/interviews/organizations-fail-to-encrypt-i-1740

By Eric Chabrow
Bank Info Security
December 22, 2012

Karen Scarfone, who coauthored NIST's encryption guidance, sort of figured 
out why many organizations don't encrypt sensitive data when they should. 
The reason: they do not believe they are required to do so.

Scarfone, who left the National Institute of Standards and Technology in 
2010 and founded a consultancy a year later, reached that conclusion after 
a phone conversation she had with representatives from a state agency that 
just experienced a breach. The state agency representatives had seen NIST 
Special Publication 800-111, Guide to Storage Encryption Technologies for 
End User Devices, and contacted Scarfone to get advice.

"Their questions really circled around whether there is a specific law or 
regulation that requires sensitive data to be encrypted," Scarfone recalls 
in an interview with Information Security Media Group. "In a roundabout 
way I told them, no. What you have to do is take a risk-based approach 
[because] the same data in different contexts may be sensitive or 
non-sensitive and it's too difficult to make a law that basically would 
enforce that."

Scarfone cites, as an example, Social Security numbers - sensitive 
information to be secured when a person is alive, but once the individual 
dies, the Social Security Administration makes the number public to help 
thwart identity theft and financial fraud.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.
Previous By Date Next
Previous By Thread Next

Current thread: