Understand Confidentiality Drivers
March 27, 2011Understanding the reasons for pursuing an encryption strategy is important from the outset. Failure to capture the full set of drivers can result in an inadequate and/or unusable solution.
· Identify all relevant regulatory obligations that impact data security and data privacy:
o Sarbanes-Oxley,
o HIPAA,
o Payment Card Industry Data Security,
o EU Data Privacy,
o CA SB 1836 / AB 1950, etc…
· Identify all relevant legal obligations that impact data security:
o Court orders,
o Contractual obligations,
o Trade secrets,
o Competitively sensitive information,
o Intellectual property, etc…
· Identify all relevant executive management concerns
o Public image,
o Thwarting and detecting criminal activity,
o Protecting intellectual property,
o And trace them back to quantifiable obligations and requirements.
· Review organizational policies associated with data protection and data security:
o Retention,
o Destruction,
o Privacy / confidentiality, etc…
· Review organizational IS/IT strategic plans to identify desired future states with defined data protection and data security dependencies
· Review recent IS audit results/findings to identify data privacy/confidentiality deficiencies
· Determine whether compliance or data security requirements serve as the primary need for confidentiality measures
· Determine the role of monitoring and reporting (auditing)