Why Organizations Fail to Encrypt

[InfoSec News <alerts () infosecnews org>]

http://www.bankinfosecurity.com/interviews/organizations-fail-to-encrypt-i-1740

By Eric Chabrow
Bank Info Security
December 22, 2012

Karen Scarfone, who coauthored NIST's encryption guidance, sort of 
figured out why many organizations don't encrypt sensitive data when 
they should. The reason: they do not believe they are required to do so.

Scarfone, who left the National Institute of Standards and Technology in 
2010 and founded a consultancy a year later, reached that conclusion 
after a phone conversation she had with representatives from a state 
agency that just experienced a breach. The state agency representatives 
had seen NIST Special Publication 800-111, Guide to Storage Encryption 
Technologies for End User Devices, and contacted Scarfone to get advice.

"Their questions really circled around whether there is a specific law 
or regulation that requires sensitive data to be encrypted," Scarfone 
recalls in an interview with Information Security Media Group. "In a 
roundabout way I told them, no. What you have to do is take a risk-based 
approach [because] the same data in different contexts may be sensitive 
or non-sensitive and it's too difficult to make a law that basically 
would enforce that."

Scarfone cites, as an example, Social Security numbers - sensitive 
information to be secured when a person is alive, but once the 
individual dies, the Social Security Administration makes the number 
public to help thwart identity theft and financial fraud.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org