|
There are a significant number of regulations in effect worldwide that relate to protection of private and sensitive data. Some are focused on protection of specific industry information, where others are more concerned with proper disclosure of data loss incidents and general privacy attributes.
Most of today’s standards and compliance regulations are concerned largely with the protection of private data at rest, during transactions, and while it traverses network connections. Some of these regulations make specific recommendations or require particular technologies for compliance. For all of them, however, encryption can be employed to satisfy the protection requirements. By determining what data you are required to protect, locating the data at rest and in transit, and implementing the appropriate encryption technologies, you can significantly improve your overall security posture while complying with any number of data privacy regulations.
The following pages describe the types of data under regulation and describe basic best practices for implementing appropriate encryption technologies. After that are tables of U.S. and international data privacy regulator overviews, how encryption applies to them, and basic best practices for those applications. They are color-coded as follows: green for financial data regulations, red for medical data regulations, and blue for private individual data regulations. Although there are many distinct types of data of importance to regulators, most of them fall into several broad categories:
- Financial data: The types of financial data are numerous, but commonly include credit card account numbers and tracking data, bank account numbers and associated financial information, and a variety of credit-related data on individuals and businesses. Several regulatory standards, particularly Sarbanes-Oxley in the Unites States, are concerned with reporting financial data for public companies.
- Personal health data: Sensitive patient health data can include insurance-related data, actual medical information, and personal data about patients, such as social security numbers, addresses, and other sensitive information, which should not be publicly available.
- Private individual data: Such data includes social security numbers, addresses and phone numbers, and other personally-identifiable data that could potentially be used for identity theft and other illicit activity.
- Military and government data: Data specific to government programs, particularly those related to military departments and operations is carefully regulated.
- Confidential/sensitive business data: Data that has to be kept secret including trade secrets, research and business intelligence data, management reports, customer information, sales data, etc. falls into this category.
Data at rest is data that is commonly located on desktops and laptops, in databases and on file servers. In addition, subsets of data can often be found in log files, application files, configuration files, and many other places.
Data in transit is commonly delineated into two primary categories – data that is moving across public or “untrusted” networks such as the Internet, and data that is moving within the confines of private networks such as corporate Local Area Networks (LANs). A related concept is data in use, which refers to data that is being processed. One example would be a bank balance transaction update, which needs to occur in a secure tamper-proof environment.
Implementing a sound protection strategy can be a daunting task – where do you start? What follows is a simple, step-by-step approach to protect the sensitive data in your environment.
1. Assess your organizational structure to understand where your business is being conducted.
2. Know what rules apply to your organization, particularly when you have international locations.
3. Know what you need to encrypt. Any sensitive data types that need to be protected for regulatory compliance or to comply with internal policies and standards can be strong candidates for encryption. If you have a data classification policy, encrypt the most sensitive or critical category or two.
4. Understand data format: [3 digits][dash][2 digits][dash][4 digits]. A number of techniques and technologies exist for searching for strings and data patterns, including the use of regular expressions. An excellent site that describes the use of regular expressions in detail can be found at http://www.regular-expressions.info/tutorial.html.
|
