Most of today’s standards and compliance regulations are concerned largely with the protection of private data at rest, during transactions, and while it traverses network connections. Some of these regulations make specific recommendations or require particular technologies for compliance. For all of them, however, encryption can be employed to satisfy the protection requirements.
Sponsored by Utimaco
Regulations and Standards:
Where Encryption Applies
A SANS Whitepaper - November 2007 Written by Dave Shackleford
Data Definitions
Best Practices for Data Privacy Compliance
Regulations and Standards: Where Encryption AppliesOverview
There are a signifi cant number of regulations in effect worldwide that relate to protection of private and sensitive data. Some are focused on protection of specifi c industry information, where others are more concerned with proper disclosure of data loss incidents and general privacy attributes.
Most of today's standards and compliance regulations are concerned largely with the protec-tion of private data at rest, during transactions, and while it traverses network connections. Some of these regulations make specifi c recommendations or require particular technologies for compliance. For all of them, however, encryption can be employed to satisfy the protec-tion requirements. By determining what data you are required to protect, locating the data at rest and in transit, and implementing the appropriate encryption technologies, you can signifi -cantly improve your overall security posture while complying with any number of data privacy regulations.
The following pages describe the types of data under regulation and describe basic best prac-tices for implementing appropriate encryption technologies. After that are tables of U.S. and international data privacy regulator overviews, how encryption applies to them, and basic best practices for those applications. They are color-coded as follows: green for fi nancial data regu-lations, red for medical data regulations, and blue for private individual data regulations.
SSAANNSS AAnnaallyysstt PPrrooggrraamm 11 Regulations and Standards: HWahredrwe aErnec vreyrpstuios nS oAfptwplaieresData De? nitions
Although there are many distinct types of data of importance to regulators, most of them fall into several broad categories:
. Financial data: The types of fi nancial data are numerous, but commonly include credit card account numbers and tracking data, bank account numbers and asso-ciated fi nancial information, and a variety of credit-related data on individuals and businesses. Several regulatory standards, particularly Sarbanes-Oxley in the Unites States, are concerned with reporting fi nancial data for public companies.
. Personal health data: Sensitive patient health data can include insurance-related data, actual medical information, and personal data about patients, such as social security numbers, addresses, and other sensitive information, which should not be publicly available.
. P rivate individual data: Such data includes social security numbers, addresses and phone numbers, and other personally-identifi able data that could potentially be used for identity theft and other illicit activity.
. M ilitary and government data: Data specifi c to government programs, particularly those related to military departments and operations is carefully regulated.
. C onfi dential/sensitive business data: Data that has to be kept secret including trade secrets, research and business intelligence data, management reports, customer information, sales data, etc. falls into this category.
Data at rest is data that is commonly located on desktops and laptops, in databases and on fi le servers. In addition, subsets of data can often be found in log fi les, application fi les, confi gura-tion fi les, and many other places.
Data in transit is commonly delineated into two primary categories - data that is moving across public or "untrusted" networks such as the Internet, and data that is moving within the confi nes of private networks such as corporate Local Area Networks (LANs). A related concept is data in use, which refers to data that is being processed. One example would be a bank balance trans-action update, which needs to occur in a secure tamper-proof environment.
SSAANNSS AAnnaallyysstt PPrrooggrraamm 12 Regulations and Standards: HWahredrwe aErnec vreyrpstuios nS oAfptwplaieresBest Practices for Data Privacy Compliance
Implementing a sound protection strategy can be a daunting task - where do you start? What follows is a simple, step-by-step approach to protect the sensitive data in yo... [download for more]
