Understanding the reasons for pursuing an encryption strategy is important from the outset. Failure to capture the full set of drivers can result in an inadequate and/or unusable solution.

· Identify all relevant regulatory obligations that impact data security and data privacy:

o Sarbanes-Oxley,

o HIPAA,

o Payment Card Industry Data Security,

o EU Data Privacy,

o CA SB 1836 / AB 1950, etc…

· Identify all relevant legal obligations that impact data security:

o Court orders,

o Contractual obligations,

o Trade secrets,

o Competitively sensitive information,

o Intellectual property, etc…

· Identify all relevant executive management concerns

o Public image,

o Thwarting and detecting criminal activity,

o Protecting intellectual property,

o And trace them back to quantifiable obligations and requirements.

· Review organizational policies associated with data protection and data security:

o Retention,

o Destruction,

o Privacy / confidentiality, etc…

· Review organizational IS/IT strategic plans to identify desired future states with defined data protection and data security dependencies

· Review recent IS audit results/findings to identify data privacy/confidentiality deficiencies

· Determine whether compliance or data security requirements serve as the primary need for confidentiality measures

· Determine the role of monitoring and reporting (auditing)