Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, “key,” and password to convert the information into readable text. Most statutes, regulations, and agencies that require that companies utilize encryption to protect data do not mandate that a specific encryption standard be used. Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length.
When examining whether a company’s use of encryption is reasonable and appropriate for the type of data collected and the risks posed to that data, regulators often examine whether a company utilizes encryption “at rest” and/or “in transit.” Encryption “at rest” refers to encryption applied to data while it is being stored. Encryption “in transit” refers to encryption applied to data while it is being transmitted across a network. Depending upon the type of software being used, and the architecture of a database, encryption at rest may pose significantly impair the ability of the data to be accessed and used efficiently.
What to think about when designing, or reviewing, an encryption policy:
- What types of data does our organization encrypt?
- Is the data encrypted at rest?
- Is the data encrypted in transit?
- What encryption standards are used at rest and/or in transit?
- Are those encryption standards considered “strong” within the security community?
- Is there evidence that those encryptions standards have been compromised?
- Is there a process to review the sufficiency of the encryption standard periodically (e.g., once per year)?
- Has your organization contractually agreed to maintain a specific encryption standard?
The following provides snapshot information concerning encryption.
Click here to view image.