Definition: In it’s simplest form, communications security or COMSEC is essentially data protection. Typically encryption is used to address vulnerabilities at three points: inside the LAN, outside the LAN and at rest. There are multiple levels of encryption with continual enhancements being made.
Inside the LAN
The use of encryption may be mandated by law or best business practices. Some examples include payment card industry data security standards (PCI/DSS), Health Insurance Portability and Accountability Act (HIPAA), and Graham, Leach, Bliley Act (GLBA). If after performing your risk analysis, you determine that data inside the LAN is worthy of protection from unauthorized access, then you should consider encrypting it in addition to taking other appropriate measures that we’ve discussed on this blog.
Outside the LAN
Best business practices often dictate that data that’s outside of your physical control be encrypted. There have been several instances where a data courier service have lost backup tapes in transit. If the data on those tapes was not encrypted, it is incumbent upon the company to notify the owner of that information, not only that their data may have been lost, but that they may be obligated to provide credit/fraud monitoring for some period of time.
If your data is protected when it’s at rest, it’s a second means of protecting the integrity of the data. For example, with electronic personnel records, it’s clear that the only people with access to that data should be in the Human Resources department. Therefore, even if no one is trying to access the data (the data is at rest) it should be encrypted to ensure that added level of security is present.
So how do you encrypt your data? There’s a tool that comes built into the Windows system called BIT Locker. Each business is unique and therefore has different needs. Contact your IT provider for more information on the best way to encrypt your data.