The Onakee Group

Encryption Standards and Why It Matters

cecb_slide02

Our Objective:

Help your instituttion describe considerations for an encryption policy ensuring the protection of information confidentiality, integrity, and authenticity (CIA).

Encryption is a foundational defense against many different risk scenarios ranging from communications eavesdropping to data breach and theft to access control of critical data. As such, institutions should develop policies and standards to help define the appropriate secure use of encryption and related key management methods. Decide where will you store encryption keys securely. For enterprise institutions, key management quickly becomes complex and difficult to manage and central key storage is likely the best option. Dictate strong access and auditing policies for this storage so only authorized individuals can access keys. Ensure a limited amount of trusted administrators (but no fewer than two) can access this location so that only one person does not hold the keys. For critical encryption keys, consider escrowing them in a physically secure location in the event of database failure and backup failure.

Trusted Platform Modules (TPM) used for storing encryption keys is one example of a secure key management technique on client machines.

01

Cyber Liability

“Cyber insurance coverage is a valuable and practical member benefit for lawyers offered through the ABA Insurance portfolio,” ABA President Linda A. Klein said. “As the number of cyber breaches increases everywhere and throughout all industries, it is critical that lawyers and law firms that rely on vast amounts of electronic data are protected.

02

Law Firm: Staff Training

Sherri Davidoff presented “Cybersecurity Training for Law Office Employees,” Everyone in your office should be trained, including lawyers, support staff, first-responders (IT personnel) and clients. Client portals for law firms are popular, but portal users must be trained, sometimes on a one-on-one basis.

03

Privacy Threat

Governments as well as private sectors has largely missed out on that transformation of data protection due to poor management of technology investments, and taking years longer than necessary to deploy, and delivering technologies that are obsolete by the time they are completed.

Get Started Learn More