IEncrypt team brainstorming results, July 9th, 2008
Technique: brainstorming issues, followed by clustering.
Clusters and issues are in alphabetical order.
The question considered was: What are the desired outcome and implemenation considerations?
Availability, lifcycle recovery?
- Access to info encrypted long ago?
- Data lifecycle
- Data recovery
- Encrypted backups
- Escrow - can we require it & audit for compliance?
- Key escrow
- Legally required records - can we store them encrypted?
- Who owns the key? Individual? Unit? UW-System?
- Actual stakeholders (individuals)
- Can we get provost sponsorship?
- Faculty buy-in?
- Faculty involvement?
- How to engage faculty?
- System buy-in
Changing regulatory env.
- Evolving product portfolio
- mutating environment - policy - technology
- new threats
- What is the best mix of policies, procedures, guidelines and standards?
- Communications to all needed
- Communications, who to involve and when?
- Promulgation of policy
- Compiance, what's the carrot?
- Consequences of non-compliance
- Gap in federal timeframe - waiting for fed. regs.
- How do we know there is compliance?
- Legal compliance
- Public records requirements
- Are there exceptions?
- Compensating controls (if can't encrypt)
- Exception procedure? Need one?
- Exception procedure? Who grants?
Fit into larger data policy
- What other protective measures need to accompany encryption
- How can we ensure the policy fits within a larger data policy?
- Addressing concerns about cost
- Crypto hardware: - Smart cards - eTokens
- DNS sec
- Ease of implementation
- Encrypted hard drives
- Escrow technology
- Facilitation by campus: - site licenses - documentation
- Full disk vs. file by file encryption
- How to handle technical issues such as encryption keys?
- Managed and unmanaged machines
- Need encryption software site license
- Sharing of encryption keys - can collide with poilicies banning the sharing of passwords
- Standalone software
- TPM (Trusted Processing Module)
- Wireless security (Lopa2
- Data in transit - do we scan for unencrypted data and block transmission (Vonter and similar products "DLP")
- DLP (Data Loss Prevention) tech interacting with encryption
- Gap in federal timeframe - waiting for federal regs
- How to monitor compliance?
- Hunting for leaked data (compliance)
- Shared workstations (i.e. student workers) - required encryption (disk and file) to enforce seperation of access rights by different users
- Digital Signatures
- How to encourage folks to not have sensitive info on vulnerable devices?
- Lost laptop Reporting reqs.
- Portable devices
- USB sticks, iPlug, etc. Does policy cover these "non-competers"
- 8K new students per year to train
- Cirriculim tie-ins
- Training issues
What and when to encrypt
- Calendar entries (type of data)
- Can we / should we identify where sensitive data is?
- Data at rest
- Data classification
- Data in motion
- Database columns
- Definition of Data to be encrypted
- Do we need to ID all laws?
- E-mail (type of data)
- E-mail subjects (type of data)
- How to define what data is covered?
- Paper - policy should not unintentionally require encrypted paper copies.
- Risks during processing
- Sanitizing data to avoid encryption
- Under what circumstances is ecnryption required?
- What is sensitive information?
- What is the value to the institution of the data?
- Why include workstations? (or not?)
- Wiki (type of data)
Why need policy?
- Avoiding headlines
- Data integrity
- Peer-to-peer leaks
- Physical risks, equipment/media theft
- UW reputation
- Why is this issue (encryption) important?