RIVEN BY REGULATORY COMPLIANCE issues and the ever-growing threat of compromised private data, more and more organizations are starting encryption projects. When done right, encryption can add an excellent layer of defense on top of the good access controls already protecting your data. Before you jump right into the implementation phase of your encryption project, lets look at the most critical part understanding the purpose and the scope of the project. An encryption project, particularly one involving the encryption of fields in database files, is not a trivial undertaking. Its critical that you plan and design it properly. Understand the Purpose of Your Project If you want to keep your data secure, simply encrypting it will probably not achieve your goal (well discuss this in more detail later). If your goal is to comply with a regulation such as the Payment Card Industry (PCI) Data Security Standard, then you must carefully read and understand its requirements. The PCI Data Security Standard has detailed encryption requirements and sets the expectations of what PCI auditors will look for in your implementation. If you are encrypting to satisfy a law (such as the notification laws that have recently sprung up in numerous states), I recommend that you design your implementation as though you were meeting a standard such as PCIs. Most states notification laws do not provide details about the type or strength of encryption required; rather, they simply exempt the entity from having to notify individuals if the breached data was encrypted. You might as well implement
a strong encryption scheme with strong key management processes in case the laws change and start specifying strict requirements (or your business changes, and you suddenly find yourself having to comply with a strict law or regulation). In other words, if youre going to the trouble of implementing encryption, you might as well do it right. For a list of encryption resources, see Find Out More, on page 3. Identify the Scope of Your Project The first step in identifying the scope of your encryption project is to determine what data you are going to encrypt. This decision is not one that should be made in a vacuum in other words, what data gets encrypted should not be the sole decision of the IT administrator or programmer in charge of the project. The decision needs to be made with the help of the data owners and possibly your organizations legal counsel. Why? Because no single person is aware of all of the regulations that determine what constitutes private data, of the laws and regulations that govern protection of private data, of the ramifications of not protecting the data or having the data compromised, and of all the places where the data is stored and how it is used. To do this project right, you need input from numerous individuals from around your organization. Only after you gather this input can you know the true scope of your project and decide how to proceed. Lets look at the steps you need to determine the scope of your project. Step 1 Determine the type of data to be encrypted. The laws and regulations with which your organization must comply might dictate the type of data you must