On Tue, Dec 1, 2009 at 3:00 PM, Mark McCullough wrote: > Or do you require encryption > of all such potentially removable media (tapes, removable disks, etc.)? [poof] > For purposes of discussion, please ignore data governed by external > certifications or audits (e.g. credit card numbers). This is dealing > with data that is suitable to live unencrypted on internal disk but is > being backed up on some media that will be removed from the server > potentially, usually as a part of a rotation to a vaulting process.
The risk is that the removable media will be lost, either en route to/from the vault, or while in the custody of the vault. A few years ago, the Office of the Comptroller of the Currency made Citi stop doing acquisitions until it improved security, in part because of some security incidents, including the loss of unencrypted backup tapes. HITECH, the new HIPAA revisions that were passed as part of ARRA earlier this year, say that a covered entity suffering a data breach involving more than 500 individuals, in addition to notifying the individuals and the secretary of HHS, must notify "prominent media outlets." Data breach notification requirements do not apply to data encrypted to the specifications in the act (referencing some NIST specs -- see 45 CFR part 164 for the "HITECH Interim Final Rule"), so encryption (done right) is pretty much a get-out-of-jail-free card for notification requirements. So, you have a risk and a potential impact. If your organization isn't subject to such regulation today, it may be in the near future, because, as a society, we're getting more aware and panicked about data breaches (not yet starting to worry about whether having those big piles of data is a good idea to begin with). The risk of not being able to decrypt it will generally be seen by the business leadership as a lesser risk than having to do a disclosure to any prominent media outlet. Besides, that should not be an issue if you do key management properly. (Don't roll-your-own with PGP. It's not a trivial problem.) Most big banks and many big health-care IT shops are encrypting removable media now. The "for the purposes of this discussion..." paragraph seems to say that the caller wants to only consider some scope where the caller doesn't want to have to encrypt stuff. The point I'm making is that, if there would be adverse effects to having the data in the hands of ne'er-do-wells, then not only is encryption a good idea, but it probably will be the law soon, if it isn't already. Encrypt it. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
