[ISN] Why Organizations Fail to Encrypt

http://www.bankinfosecurity.com/interviews/organizations-fail-to-encrypt-i-1740 By Eric Chabrow Bank Info Security December 22, 2012 Karen Scarfone, who coauthored NIST’s encryption guidance, sort of figured out why many organizations don’t encrypt sensitive data when they should. The reason: they do not believe they are required to do so. Scarfone, who left the National Institute of Standards and Technology in 2010 and founded a consultancy a year later, reached that conclusion after a phone conversation she had with representatives from a state agency that just experienced a breach. The state agency representatives had seen NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, and contacted Scarfone to get advice. “Their questions really circled around whether there is a specific law or regulation that requires sensitive data to be encrypted,” Scarfone recalls in an interview with Information Security Media Group. “In a roundabout way I told them, no. What you have to do is take a risk-based approach [because] the same data in different contexts may be sensitive or non-sensitive and it’s too difficult to make a law that basically would enforce that.” Scarfone cites, as an example, Social Security numbers – sensitive information to be secured when a person is alive, but once the individual dies, the Social Security Administration makes the number public to help thwart identity theft and financial fraud. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org