Re: Encryption and Data Retention

Short answer, your BCO is wrong.

Although he is right to be conscious about recovery time, as others have pointed out the impact of encryption/decryption is generally trivial.

Here are a couple of questions to consider:
1. How often do you do DR for real (excluding scheduled, yearly/semi-annual/quarterly DR tests)? I bet a lot less than once a decade unless you are located in annual "disaster zone". ie someplace subject to yearly bad weather cylcles: tornadoes, floods, hurricanes, snow or ice storms.

2. How often does backup data leave your premisise? Daily, weekly or at most monthly.

3. Which one occurs more frequently? Duh 2!

4. If there is going to be an OOPS type problem, is it more likely to happen to 1 or 2? Duh 2!

5. Is your courier and courier process specifically designed to handle sensitive data? ie:
a) is your DR media (tapes or whatever) always under lock and key at your site, or does it just sit on your loading dock (for anyone to steal) before pickup by courier.
b) does your courier have a certified secure transportation process. Are the trucks always locked? Are the trucks always manned? Is their warehouse secure? What penalty does courier face if they lose your media, do they pay your fines or do they only send an "Oops sorry..." letter and pay replacement cost of media?

6) Is any of the data going off site "Personal Information" that is covered by legislation? If yes, you don't dare send it offsite unencrypted.

Here are some links to articles that show what happens when you send unencrypted sensitive data offsite:
http://blogs.techrepublic.com.com/networking/?p=301&tag=nl.e138

http://www.scmagazineus.com/Unknown-number-of-victims-in-Hortica-Insurance-backup-tape-loss-laptops-stolen-from-Chicago-Public-Schools/article/34800/

http://www.channelregister.co.uk/2007/05/15/ibm_missing_tapes/ - IBM courier crashes. Sensitive tapes go AWOL

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1277471,00.html - Home Depot and Iron Mountain report missing data

http://www.computerworld.com/s/article/9048199/_Operational_failure_misplaced_records_for_25_million_kids..._or_was_it_theft_

http://www.csoonline.com/article/452977/T_Mobile_Lost_Disk_Containing_Data_on_Million_Customers

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------