29) Does your organisation encrypt client data on its IT systems?
Answer yes if your organisation encrypts client data on its IT systems. Please state the encryption algorithm used in the notes.
What is it?
Encryption is the process of taking data in a readable or its machine-interpretable format and converting it into an unreadable/uninterpretable format by the use of an encryption algorithm and keys.
This applies both to data in storage (also known as “at rest”) and data in transit (while it is being transmitted between systems).
The general concept is that only authorized parties can decipher the encrypted data and access the original information
Why should I have it?
Encryption means that, in theory, even if data is exposed, whether in storage or during transmission, it cannot be read (assuming that the encryption keys have not been compromised as well). For this reason, the data is likely to be unusable if lost or stolen, effectively mitigating the breach.
For these reasons, data at rest in applications and databases should be encrypted whenever possible.
With regards to data in transit, data transmitted without being encrypted is susceptible to being eavesdropped over the internet or possibly even on your local network. It’s therefore imperative that all data in transit also be encrypted whenever possible.
This should not just be limited to communication over the internet but should include communication over internal networks, between systems on the same network segment, or even between front-ends and back-ends of applications running on the same system. All these provide additional layers of security in case any part of your infrastructure is compromised or if an internal resource tries to misuse or access information in an unauthorised fashion.
The more information is protected by encryption, the greater the level of assurance you and your clients have that data is protected both in transit and at rest.
How to implement the control
There are many kinds of encryption present in a variety of protocols, technologies, operating systems, applications, etc. Because of this, the application of encryption should be defined by policy and left to different technical teams to implement as appropriate.
Policies should also include standards for the types and strengths of available encryption to make sure the mechanisms applied are sufficiently strong for each particular application. Finally, ensure encryption is implemented properly keeping in mind that it is ineffective if the keys are compromised or if weak mechanisms are used. Key management is an important part of your encryption strategy that should not be ignored.
As with most security technologies, the earliest encryption can be implemented in solution or product design and architecture, the better, as it can be difficult and costly to retrofit afterwards.
There are numerous consultancies or individual consultants that will be able to assist in implementing encryption that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
