Home > Cryptography, Data Loss, Encryption, Privacy Laws > NIST 800-111. Practical Advice for Data Protection Projects

NIST 800-111. Practical Advice for Data Protection Projects

This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.

Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.

The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00.

The report discusses all the major technologies you can use, from full disk encryption to PKI, Virtual disk encryption to traveling with encryption.

So, to some practical advice from 800-111:

Organizations should use centralized management for all deployments of storage encryption except for standalone deployments and very small-scale deployments.

Organizations should ensure that all cryptographic keys used in a storage encryption solution are secured and managed properly to support the security of the solution.

Organizations should select appropriate user authenticators for storage encryption solutions.

Organizations should implement measures that support and complement storage encryption implementations for end-user devices.

Right at the beginning we get advice on appropriate centralized management (to reduce TCO and give effective control), Proper key management, proper authentication and user audit (including using Unique accounts), and using training and business processes to strengthen “security”. There’s even information on training:

Making users aware of their responsibilities for storage encryption, such as encrypting sensitive files, physically protecting mobile devices and removable media, and promptly reporting loss or theft of devices and media.

Finally, I want to point out that though not comprehensive, 800-111 does help construct a “plan” of implementation. For those beginning data protection projects, who’ve seen me talk about “drinking from a fire hose”, the advice is invaluable:

  1. Identify Needs
  2. Design the Solution
  3. Implement and Test a Prototype
  4. Deploy the Solution
  5. Manage the Solution

I strongly recommend you print a copy, grab a highlighter pen and read it through.

  1. Mike W
    March 2, 2010 at 12:33

    Nice read.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: