Information Security Best Practices: 205 Basic Rules

Section 14: Data Encryption Rules

Some organizations have a need for encryption of data stored on computers and sent across networks. This section provides a set of guidelines for implementing and managing data encryption.

INFOSEC Best Practice #156

Standardize on the type of encryption used at the organization.

Data can be encrypted either through hardware or software, using various encryption schemes. In order for your organization to exchange encrypted data, all sites will have to agree on the encryption method. Letting every site, group, department, or individual choose their own encryption scheme will result in too much technical management and will limit how the company can communicate between sites and ensure privacy. Multi-level security (MLS) can be specified for various types of communication within an organization. For instance, very confidential financial data will require stronger encryption than email between some employees. These levels of security must be evaluated and incorporated into the organization's security policy. Once the policy specifies the strength of encryption for various levels of data within the corporate framework, then specific encryption software and/or hardware can be chosen. Exceptions will include encryption requirements for communicating externally to other non-corporate sites.

INFOSEC Best Practice #157

Use encryption when transmitting sensitive or confidential data over a network.

Data encryption and decryption can be accomplished by either hardware or software. Data can be encrypted on the computer, stored encrypted in a file, and transmitted over the network using conventional protocols. Encryption is the most straightforward way to keep data confidential on a computer and when...