Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: List of Full Disc Encryption products

From: "Sadler, Connie" <Connie_Sadler () Brown edu>
Date: Thu, 6 Jul 2006 15:35:08 -0400
 
I agree with Roger. Full drive encryption is not required for anything
that isn't classified. At least I've never seen a requirement for it.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
Director, IT Security, Brown University
Box 1885, Providence, RI 02912
Office: 401-863-7266



-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] 
Sent: Thursday, July 06, 2006 2:13 PM
To: Saqib Ali
Cc: security-basics
Subject: RE: List of Full Disc Encryption products

I don't want to argue semantics, but you're wrong. Pure and simple.
Data's data. Program files and operating system files are not data.
Data is stored in files. You can encrypt individual files and folders
and still be in compliance with any federal mandate or guideline.  There
is NO mandate or guideline that says the entire drive must be encrypted.

Again, encrypting hard drives are a good thing, but don't spread FUD.
Let the facts speak for themselves. Encrypting the entire hard drive is
one solution for protecting confidential files, but it isn't the only
solution. And it certainly isn't the only one accepted by law or
mandate.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Thursday, July 06, 2006 12:28 PM
To: Roger A. Grimes
Cc: security-basics
Subject: Re: List of Full Disc Encryption products

On 7/5/06, Roger A. Grimes <roger () banneretcs com> wrote:

I don't believe your second sentence. Prove me wrong. What mandate 
says that full hard drive encryption is mandatory versus just 
encrypting the necessary files and folders?  Give me the law and

subsection.

OK. See:
1) http://digg.com/security/U.S._gov_t_mandates_laptop_security
2) http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Bullet #1 from the PDF reads:
1) Encrypt "all" data on mobile computers/devices which carry agency
data unless the data is determined to be non-sensitive, in writing, by
your Deputy Secretary or an individual he/she may designate in writing;

So encrypting certain files on the laptop will NOT suffice. You have to
encrypt "All Data".

If you are NOT encrypting partial data on the device, you have to get an
written exception from the Deputy Secretary.



--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: