Data encryption: Three steps to take now

Impetus

From an article by PwC in the Wall Street Journal

First, they should create a data classification plan by determining and categorizing the data they hold — such as public, confidential and restricted. Advertisements are an example of public data, while strategic plans and sensitive employee or customer elements are an example of confidential data.

Companies must then decide what controls they will require for each category, such as password strength, logging, or encryption. This step may include conducting a data discovery exercise to find out where data is held, then classifying it according to the framework the company has created.

Finally, organizations must roll out the data classification approach within system development activities and for third parties handling their data, ensuring they understand what data that third party will be handling and how it will be protected.

Obvious - but how many organisations formally engage in the assessment?

http://sponsoredcontent.wsj.com/pwc/broader-perspectives/data-encryption-three-steps-to-take-now/

syklops

I dont know what you mean by "now" this has been standard stuff for a long time. That said patching your gear when it needs to be patched is standard stuff too, and its amazing how many companies don't do that either.

Impetus

The words are written by PwC - so one would assume from their audit and other work that they are of the view that it is not being widely done in practices. If every company/organisation was adopting the guidance, they would look rather stupid preaching it afresh.

Surely, the logical thing is 'if you are doing it, move on'

syklops

Impetus wrote: »

The words are written by PwC - so one would assume from their audit and other work that they are of the view that it is not being widely done in practices. If every company/organisation was adopting the guidance, they would look rather stupid preaching it afresh.

Surely, the logical thing is 'if you are doing it, move on'

This is the sort of whitepaper most security companies bring out now and again. Great marketable essay which will get them quoted by The Register, but which cost nothing to actually put together. I didn't read it but I bet somewhere either on their site or the bottom of the article it says "If you need help with your encryption strategy, contact our experts at sales@pwc.ie".

Impetus

syklops wrote: »

This is the sort of whitepaper most security companies bring out now and again. Great marketable essay which will get them quoted by The Register, but which cost nothing to actually put together. I didn't read it but I bet somewhere either on their site or the bottom of the article it says "If you need help with your encryption strategy, contact our experts at sales@pwc.ie".

It was not written by PwC Ireland. It appeared in the Wall Street Journal. And there is no sales contact as you suggest. Perhaps you should have read it before making the comment you made.

I posted it because it states basic principles in simple language, which in my experience many organizations ignore.

It seems to me that none of the postings to this thread origin make any contribution to information security, and the writers are not focused on the topic.

syklops

Impetus wrote: »

It was not written by PwC Ireland. It appeared in the Wall Street Journal. And there is no sales contact as you suggest. Perhaps you should have read it before making the comment you made.

I posted it because it states basic principles in simple language, which in my experience many organizations ignore.

It seems to me that none of the postings to this thread origin make any contribution to information security, and the writers are not focused on the topic.

So I clicked on the link and I was half right. It is Sponsor Generated Content. If you click "what is this" in the banner it will read:

This content was paid for by an advertiser and created by the Wall Street Journal advertising department. The Wall Street Journal news organisation was not involved in the creation of this article.

So its an advert for PwC, with a couple of quotes from PwC's Global Assurance Cybersecurity and Privacy Leader at PwC.

I for one am interested in Information Security and Im a regular contributor to this forum. I speculated on the purpose of the content you linked to and I was partly right. This isn't news. Its spam.

Impetus

syklops wrote: »

I for one am interested in Information Security and Im a regular contributor to this forum. I speculated on the purpose of the content you linked to and I was partly right. This isn't news. Its spam.

It is not spam because it relates to computer security. It may not interest you. If so, you can remove yourself from the thread. In my view what you have been posting is spam! If we were to eliminate all postings based on the motives of the source of a story, there would be very little to discuss. Blackhat, Apple's case against the US government over security, anything you can think of, is publicity seeking. Anyone who reveals a security weakness in a product or technology is likely to have (or have invested in) an alternative solution before creating their publicity.

Impetus

And for the avoidance of doubt, I have no connection with PwC whatsoever.

syklops

Impetus wrote: »

And for the avoidance of doubt, I have no connection with PwC whatsoever.

This article has no connection with PwC, aside from them paying for it to be written.

LoLth

Impetus: it is a sponsored article by an international company (PWC) that provide security auditing services. Now, their services, audit, pentest and forensic , are very good but it is still essentially an advertisement with an element of fear mongering and a slight edge of sensationalism. why? because they want you to think "oh, I dont encrypt or classify my data" or "I pay a lot to have my data encrypted, maybe I can cut back a bit" and then associate PWC and the links in the article with a service that can help you.

Thats all fine. What Skylops says about it being a whitepaper that gets trotted out is absolutely true. there is nothing new in that piece, its a re-hash of advice and best practise that has been around for years. (data classification is one of the early parts of access control in CISSP and earlier).

I guess you two have opposite sides of the same opinion here. Skylops is being cynical because its a marketing ploy and essentially a full page advert in the WSJ.

You see value in it as the start of a discussion on security best practise in "laymans terms".

You're both right imho. Its good to discuss security in terms the average marketing manager can understand (so he finally realises why he cant give his company laptop to his teenage son to play games on and why he cannot plug his Mac into the office network to run his third part software) but its worth remembering that the article linked is not a best practise article composed without bias or ulterior motive.

So, in the interest of discussion: isnt data classification part of the ISO series of certification? Especially those that handle personal data (that needs to be classified and access only given to authorised parties or there is a risk of data breach and data privacy laws will hold the designated Data Officer responsible).