Data At Rest Encryption Solutions » Print » The Memo that Encrypted Twenty Million Machines

The Memo that Encrypted Twenty Million Machines

Posted By Bryan Glancey On 10. April 2009 @ 19:46 In Uncategorized | No Comments

You have all heard me speak of the importance of DARTT (Data at Rest Tiger Team) in bringing much needed standards to the Data at Rest Encryption market. Several people have asked me how it all got started, There is an excelent history of DARTT published by David Hollis in this presentation [1] http://www.infosecaward.com/docs/DARTT_June12_08Briefing_ExecutiveAlliance.ppt - but the inital launch was a result of Office of Management and Budget Memo 06-16 which said:

In an effort to properly safeguard our information assets while using information technology, it is essential for all departments and agencies to know their baseline of activities.

The National Institute of Standards and Technology (NIST) provided a checklist for protection of remote information. (See attachment) The intent of implementing the checklist is to compensate for the lack of physical security controls when information is removed from, or accessed from outside the agency location. In addition to using the NIST checklist, I am recommending all departments and agencies take the following actions:

1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;

2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;

3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and

4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

The original official memo can be found at: [2] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Article printed from Data At Rest Encryption Solutions: http://data-at-rest.com

URL to article: http://data-at-rest.com/2009/04/10/the-memo-that-encrpyted-twenty-million-machines/

URLs in this post:
[1] http://www.infosecaward.com/docs/DARTT_June12_08Briefing_ExecutiveAlliance.ppt: http://www.infosecaward.com/docs/DARTT_June12_08Briefing_ExecutiveAlliance.ppt
[2] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Click here to print.