Re: centralized storage of sensitive data

[reflect ocean <reflect.ocean () GMAIL COM>]

Great resource.I'll check it out.I'm starting to evaluate consequence
of deploying these controls.Is a centralized storage of sensitive
information (such faculty information,exam papers,alumni
information,etc.) a practice you would recommend or maybe a
descentralized is a better approach?
Maybe I'm starting to rambling but checking it out and considering
some reading I've been doing about Information Security System
deployment,i have a question:At what part of this deployment should i
be doing Business Continuity Plan?
My understanding is that this plan should come once SGSI is implemented.
Thanks


On Wed, Jul 1, 2009 at 10:17 AM, Theresa
Semmens<Theresa.Semmens () ndsu edu> wrote:
> Educause has several good resources for encryption. One you may find
> interest in is
> https://wiki.internet2.edu/confluence/display/secguide/Encryption
>
> Within your data protection policy are you providing data classification of
> your data elements?  Customers need to know confidential data is. Be sure
> your policy takes into account your government's laws and regulations for
> data protection.
>
> It sounds like you are taking a four-pronged approach - policy/procedure ->
> encryption for data manipulation -> encryption in transit -> encryption for
> data at rest.
>
> For data in transit you will want to look at pros and cons for a VPN, or if
> working online through the Internet, may want to incorporate SSL, and will
> need to look at benefits for that as well.  Each institution has different
> climates and cultures for how they perform business, education, and research
> functions.  I recommend that your thoroughly review your processes for each
> of these three areas and then fit the solution(s) to the needs. When it
> comes to security, you will never find a "one size fits all" brand.  Higher
> Ed poses a unique set of challenges, and is like herding cats - you can
> guide them (Higher Ed) in one direction, but that doesn't mean they will end
> up at that destination.  ;-)
>
> Good luck with your project. We will be interested in learning what you
> deploy and how you will deploy it.
>
> Theresa
>
> Theresa Semmens, CISA
> Chief IT Security Officer
> North Dakota State University
> IACC 210D
> PO Box 6050
> Fargo, ND 58108
> Phone: 701-231-5870
> Fax: 701-231-8541
> Theresa.Semmens () ndsu edu
>
> "Opportunity is missed by most people because it is dressed in overalls and
> looks like work."  Thomas Edison
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean
> Sent: Wednesday, July 01, 2009 9:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] centralized storage of sensitive data
>
> We are building policy for sensitive data manipulation which leads us
> to a stage where we are evaluating available and affordable solutions
> to the risk of sensitive digital document manipulation.The goal is to
> protect sensitive information such faculty docs from leaking by
> implementing data loss controls.
>
> Answering your question:both.
>
> Based on this, we are looking for a solution that protects data by
> offering a centralized encrypted storage and an encrypted tarnsference
> to the central storage device as well.
> We have also considered to encrypt this sensitive data from the
> beginning of its elaboration (i.e local encryption in the PC) but we
> are just starting to explore solutions.
> I'm aware of windows server platforms offer some sort of encrypted
> file server storage but i'm not sure if that includes encyrpted
> transference from the pc to the file server.
>
>
>
> Thanks
>
>
>
>
>
>
> On Wed, Jul 1, 2009 at 9:12 AM, Theresa Semmens<Theresa.Semmens () ndsu edu>
> wrote:
> > Your request is bit confusing - are you looking for solutions to encrypt
> > just the storage (resting data), or the transference of data, or both?  If
> > it is both, you are wanting to discuss different solutions for different
> > issues. Will you be encrypting e-mail as well? What about the workstations
> > where the data will be manipulated - will they be considered in the
> > protection of sensitive data?
> >
> > Do you have a policy and procedure in place that will provide oversight
> and
> > governance for this project?  Without policy and procedure, you will run
> > into a lot of problems. This must be your first step in protecting data.
> >
> > I have to question if you are considering all of the situations and issues
> > for confidential data protection.
> >
> > Theresa Semmens, CISA
> > Chief IT Security Officer
> > North Dakota State University
> > IACC 210D
> > PO Box 6050
> > Fargo, ND 58108
> > Phone: 701-231-5870
> > Fax: 701-231-8541
> > Theresa.Semmens () ndsu edu
> >
> > "Opportunity is missed by most people because it is dressed in overalls
> and
> > looks like work."  Thomas Edison
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of reflect ocean
> > Sent: Wednesday, July 01, 2009 9:01 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] centralized storage of sensitive data
> >
> > We are planning to implement a solution to storage sensitive data
> > which must include encryption and auditory of each access.Storage of
> > information should be centralized and transfer of data across network
> > also should be encryted.
> > I've reviewed some solutions from McAfee and Sophos.If anyone has any
> > recommendation or any other consideration to implement , please let me
> > know.
> >
> > Thanks