Best Practices for Tape Encryption

WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE
Employing Best Practices
for Mainframe Tape
Encryption
JUNE 2008
Stefan KochishanCA MAINFRAME PRODUCT MARKETING
John HillCA MAINFRAME PRODUCT MANAGEMENTTable of Contents
Executive Summary 1 SECTION 4: CONCLUSIONS 6
SECTION 1: CHALLENGE 2 SECTION 5: REFERENCES 6Securing Personal and Business-critical Data There's No Such Thing as Low Risk SECTION 6: ABOUT THE AUTHORS 7Encryption is KeyThe Real Cost of Exposure
SECTION 2: OPPORTUNITY 3Minimizing Risk and LossFinding the Right Balance
SECTION 3: BENEFITS 4Implementing Best Practices for Better ResultsThe Data Selection Process
Copyright © 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permittedby applicable law, CA provides this document "As Is" without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA beliable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. Executive Summary
Challenge
Increased regulatory scrutiny on the protection levels afforded sensitive information bythose that transact and process it is causing enterprises to improve mainframe securitystrategies. This entails proactively investigating exposures and implementing appropriatepolicies, processes and technologies, including those for data z/OS tape encryption.
Opportunity
Organizations need to identify exposure points and the information in need of encryption,taking steps to avoid encrypting too much or too little - or both. To that aim, they need toimplement tape encryption policies that protect all sensitive data without burning moneyand man hours safeguarding information that doesn't require that higher level of security.
Benefits
Because all data is not created equal, it's best to consider a tape encryption strategy that'saligned with business practices, security objectives and compliance drivers. But, the finalreality check would be to judge if a data set satisfies the minimal non-disclosure criteria ofexisting or emerging regulatory requirements. Doing this comparison will help enterprisesaddress both the spirit and letter of applicable mandates as they apply to the security andprotection of personal and business-critical data.
WHITE PAPER: DATA ENCRYPTION BEST PRACTICES FOR MAINFRAME TAPE 1SECTION 1: CHALLENGE
Securing Personal and Business-critical Data There's No Such Thing as Low RiskData loss incidents expose enterprises and their partners, clients, constituents and employeesto a multitude of risks. After all, unauthorized and rogue access to sensitive personal andbusiness-critical information often results in identity theft, and ultimately, adversely affects:. Consumer credit ratings . Press coverage . Organizational reputation and perception. The bottom line via citations and fines for noncompliance
Unless steps are taken to secure data by all businesses and governmental agencies, thesituation simply promises to get worse. In fact, millions of individuals are impacted by data lossevery year. And as criminals increase their sophistication and we become more dependent ontechnology, the collateral damage will continue to grow exponentially. That means that there isno such thing as a low-risk organization or low-risk personal information. It also means aninstitution's trustworthiness is the least of its concerns.
Encryption is Key Data breach exposures aren't hype - they're very real and can have significant impact on anorganization. And because all data is now business critical, many US and EU governing bodieshave written laws that:. Protect consumer data identities. Require businesses to be proactive in disclosure and remediation. Levy hefty fines for incidents of exposure
To date, nearly all of the 50 US states have enacted legislation requiring companies andgovernment agencies to report loss or theft of personal information when the exposed data isnot encrypted.
Thus, encryption for mainframe tapes has rap... [download for more]