Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Encryption Policies

from [Benjamin Tomhave] Network Security [Permanent Link]
Subject: RE: Encryption Policies
Date: Fri, 5 Aug 2005 01:11:17 -0400 
Hi Frank,

Typically, instead of focusing on a technology, a policy should focus on the
overall concept.  In this case, what you're really looking at is needing to
establish a data classification (and labelling) policy.  Once the high-level
policy (or schema) is defined, you then want to define a standard containing
required and recommended treatments of data under each level of
classification (such as requiring use of encryption).  Then, you would want
to create an actual data classification mapping (probably separate from the
standard, though not necessarily) such that specific types of data, such as
principal-to-principal emails, are classified under a level requiring
encryption.  Separately, you could then define a standard for encryption
that specifies key size, strength, algorithms, key management and escrow,
etc.

Noting your concerns, I think that the best approach (which applies to
business, too) is to ensure that whichever encryption standard is developed
mandates a key escrow policy so that communication that is encrypted can
still be archived and read if necessary.

fwiw... ymmv...

cheers,

-ben

---
Benjamin Tomhave, CISSP
falcon@secureconsulting.net
http://falcon.secureconsulting.net/
 
"We must scrupulously guard the civil liberties of all
citizens, whatever their background. We must remember
that any oppression, any injustice, any hatred is a
wedge designed to attack our civilization."
-President Franklin Delano Roosevelt
 


-----Original Message-----
From: frank_kenisky@psc.uscourts.gov 
[mailto:frank_kenisky@psc.uscourts.gov] 
Sent: Friday, July 29, 2005 9:40 AM
To: security-management@securityfocus.com
Subject: Encryption Policies

I've been asked about encryption policies for a local school 
district.  Apparently the principles only want to use 
encryption and would like to know if some policy exits that 
might help them word this into their policy.

They only want to use encryption between the principles of 
the schools via email.

There is one issue that has some people questioning their 
motives.  A few months back this same school district came 
under fire when an auditor looked at the number of 
underprivliged children they had included.

A lot of these under privliged children were their own.  In 
this district these children receive special consideration 
including scholorships.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Encryption Policies, mr . nasty
Next by Date:  Bay Area Security User Group, Salaets, Steven
Previous by Thread:  Encryption Policies, frank_kenisky
Next by Thread:  Re: Encryption Policies, mr . nasty
Indexes:  [Date] [Thread] [Top] [All Lists]