[ISN] Why Organizations Fail to Encrypt

From: InfoSec News <alerts_at_private>
Date: Mon, 24 Dec 2012 04:22:39 -0600 (CST)

By Eric Chabrow
Bank Info Security
December 22, 2012

Karen Scarfone, who coauthored NIST's encryption guidance, sort of 
figured out why many organizations don't encrypt sensitive data when 
they should. The reason: they do not believe they are required to do so.

Scarfone, who left the National Institute of Standards and Technology in 
2010 and founded a consultancy a year later, reached that conclusion 
after a phone conversation she had with representatives from a state 
agency that just experienced a breach. The state agency representatives 
had seen NIST Special Publication 800-111, Guide to Storage Encryption 
Technologies for End User Devices, and contacted Scarfone to get advice.

"Their questions really circled around whether there is a specific law 
or regulation that requires sensitive data to be encrypted," Scarfone 
recalls in an interview with Information Security Media Group. "In a 
roundabout way I told them, no. What you have to do is take a risk-based 
approach [because] the same data in different contexts may be sensitive 
or non-sensitive and it's too difficult to make a law that basically 
would enforce that."

Scarfone cites, as an example, Social Security numbers - sensitive 
information to be secured when a person is alive, but once the 
individual dies, the Social Security Administration makes the number 
public to help thwart identity theft and financial fraud.


Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
Received on Mon Dec 24 2012 - 02:22:39 PST

This archive was generated by hypermail 2.2.0 : Mon Dec 24 2012 - 02:26:00 PST