II. Management

Data Encryption Management

Data encryption can be either locally or centrally managed. Centralised management is more commonly deployed and performed through specific data encryption management utilities or together with the operating system's configuration utilities. Centralised management is recommended for most cases, because it enables effective and efficient encryption task management.

However, management may still choose to deploy storage encryption locally without a centralised management capability. This is generally acceptable for standalone or very small-scale deployments, especially for data that need to be encrypted quickly.

Data Encryption Planning and Implementation

A successful deployment of new encryption technologies very much relies on a step-by-step planning and implementation process which minimises unforeseen issues and helps to identify potential pitfalls. The following are the major task during planning and implementation phase:

1. Identify Requirements

In the beginning of the process, management should identify the needs to encrypt information on universities' information systems and/or end user devices, determine which device or data needs encryption, and define related performance requirements. The requirements include:

  • External Requirements - such as legal requirement to protect privacy and personal data;

  • System and Network Environment - data encryption solutions should be compatible with universities' existing IT environment (in terms of availability and efficiency) and able to provide the necessary protections without introducing conflicts and inefficiencies; and

  • Support Limitations - identify any possible violations to the terms of a software support contract or the warranty of products used with the relevant device.

2. Design a Solution

Based on the requirements identified in the previous phase, management should design a solution to realise the requirements. Major aspects of a solution design of data encryption include:

  • Cryptography - encryption schemes and algorithms, such as Advanced Encryption Standard (AES), Secure Sockets Layer (SSL);

  • Authentication - authentication methods and authenticator protection. For example, passphrase, security token, public/private keys;

  • Solution Architecture - selection of data encryption devices and software and location of centralised data encryption management;

  • Other Security Controls - additional controls that complement the data encryption implementation, such as policies regarding acceptable use of data encryption technologies; and
 
Reference:
http://www.infosec.gov.hk/english/computer/encrypt.html
http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf