Organizations are pressured to better protect informational assets from unauthorized access by various government and industry regulations which require special handling of information during regular production lifecycle and also in the events when information is lost or stolen.
Data is one of the most highly valued resources in a competitive business environment. Protecting that data, controlling access to it, and verifying its authenticity while maintaining its availability are priorities in today’s business environments. Increasing regulatory requirements are also helping to drive the need for the security of data.
Cryptography has been industry recognized method of data protection and if properly implemented, provides extremely high information protection capabilities which can help achieve these goals without disruption to key business processes and deliverables.
Protection of sensitive employee, customer, partner and shareholder business information is fundamental component of enterprise data security and this document is one of the important first steps in establishing solid foundations around production deployment of cryptographic services.
Documented data encryption standards are also required for any enterprise subject to PCI data security requirements (DSS).
One of the first steps in defining encryption standards is establishing data classification policy to identify which data elements are business critical and must be protected from uncontrolled disclosure. Enterprise Data Classification and Encryption policies address this requirement.
Developing extensive enterprise encryption standard is a process of creating initial base principles using industry and government proven guidelines and then tailoring it to fit specific company technology and business environments in iterative manner.
Approach used in creation of this document is to review relevant documentation and adapt necessary components to company environment. In many cases it makes a lot of sense to adopt existing procedures without making changes, but some of the approaches required in highly secured federal government requirements may not be necessary in all cases needed by the company to achieve compliance and necessary security.
Sources of information for this document include relevant documents developed by US, Canadian and European agencies, specialized information security providers and International standards bodies in areas of data privacy and encryption, such as ISO 11568 Banking - key Management, ISO 13491 Secure Cryptographic Devices, ISO 16609 Requirements for message authentication using symmetric techniques, ANSI X9.30 Public Key Cryptography, NIST SP800-57 Recommendations for Key Management and others.