RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Mime-Version:
1.0 (Apple Message framework v613)
Content-Type:
text/plain; charset=US-ASCII; format=flowed
Date:
Fri, 22 Jul 2005 13:13:35 -0400
Reply-To:
Records Management Program <[log in to unmask]>
Subject:
Re: Encryption and the role of the records manager
From:
Hugh Smith <[log in to unmask]>
In-Reply-To:
<[log in to unmask]>
Content-Transfer-Encoding:
7bit
Sender:
Records Management Program <[log in to unmask]>
Parts/Attachments:
text/plain (96 lines) 
In Peter's RAIN:  Jul 21, 2005,  Automatic digest processor wrote:

> FIGHTING Data Theft
> Line 56 News - USA
> ... include BJs Wholesale Club, Polo Ralph Lauren, Bank of America,
> Citibank,
> DSW Shoe ... exploited was different, ranging from misplaced backup
> tapes
> and unpatched ...
> <http://www.line56.com/articles/default.asp?ArticleID=6727>
>

SNIP from article:

Encryption is an algorithm used to scramble data which makes it
unreadable to everyone except the intended recipient. Each of the
issuer programs offer specific guidance with respect to encryption, and
specifically encryption of data at rest, so it is important for
retailers to encrypt sensitive data -- whether it be in storage,
applications or databases.

Recommendation: Encrypt sensitive data before storing it in databases,
and leverage high strength, industry-standard encryption algorithms.

The reality is that even if data is encrypted, that data is still only
as secure as the cryptographic keys used to do the encryption. That's
why card guidelines specify a range of precautions for securing
cryptographic keys. PCI guidelines state organizations should "store
keys securely in the fewest possible locations and forms."

  Effectively addressing this mandate requires more than encryption--it
requires doing encryption through an appliance in a centralized manner.
For example, if encryption is managed on disparate application servers,
data still may not be secure--as the keys will also typically reside in
these disparate, insecure locations.

______

 From the various projects we are now involved with, there are problems
where the client somehow loses control of his encryption key and
therefore can't open their own data. When time is critical, these
delays are ruinous to the data center's efficiency. In addition,
storing the media in an environment where it is protected from
degradation from environmental concerns is much more important.  If the
media is damaged by improper storage (poor temperature and humidity
control, delivery or handling in a manner that damages the tapes) or
the media is stored adjacent to equipment that creates damaging
magnetic fields (e.g. data centers or Server rooms ) these damaged
tapes can create problems for the encryption keys or create error codes
that make the cartridge unreadable.

As your organizations talk about encryption, this is an opportunity for
RM to become involved in the discussion as integrity of the "best
evidence copy" is what you are all about. Point out that dat should be
under the purview of RM and that providing the proper storage
environment is critical to a successful encryption program.  The CIO
and IT Manager will have their plates full, this is an opportunity for
you to get involved in the offsite management of the media archive.

This is a discussion that should get more focus on the Listserve so
that each of you can present ideas on improving data security from an
RM perspective.  A well thought out discussion and preparation on your
part could totally change your role with regard to electronic records
in your organization.

Given the trouble controlling the keys, a more centralized approach to
the data center might be a trend and this makes it easier for RM to be
part of the management.  We are building vaults around a number of
Server Rooms ( Server Vaults) so this is the beginning of the trend of
centralized security.  This is being assisted by the fact that Server
equipment has become much more efficient.  This means the entire data
operation can be placed in a room of 20' x 30' or 30' x 40' for very
large organizations.  This makes protecting the IT equipment much less
expensive and therefore, more easily placed right within the corporate
platform where you have access to participate if you can convince
management of the role you should play.

Electronic records management is a key part of the discussions at the
NAGARA Conference in Richmond this week.  Just as it was at the
Richmond Technology Summit last week.  So the choice is for RM's to
figure out how best to interface with the electronic records or lose
ground to the IT Managers who are now being forced to adapt to controls
from SOX and concerns about Identity Theft.

This might be the ideal time to use the "2,000 Mile Turtle" strategy of
garnering management's interest in what you have to offer.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2