Karen Scarfone, who coauthored NIST’s encryption guidance, sort of figured out why many organizations don’t encrypt sensitive data when they should. The reason: they do not believe they are required to do so.
Scarfone, who left the National Institute of Standards and Technology in 2010 and founded a consultancy a year later, reached that conclusion after a phone conversation she had with representatives from a state agency that just experienced a breach. The state agency representatives had seen NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, and contacted Scarfone to get advice.
“Their questions really circled around whether there is a specific law or regulation that requires sensitive data to be encrypted,” Scarfone recalls in an interview with Information Security Media Group. “In a roundabout way I told them, no. What you have to do is take a risk-based approach [because] the same data in different contexts may be sensitive or non-sensitive and it’s too difficult to make a law that basically would enforce that.”
Scarfone cites, as an example, Social Security numbers – sensitive information to be secured when a person is alive, but once the individual dies, the Social Security Administration makes the number……
Why Organizations Fail to Encrypt - BankInfoSecurity
Ingen kommentarer:
Send en kommentar