We’ve had several recent inquiries into what entities require encryption as part of IT governance, risk and compliance. Well, McAfee has a really good site at www.mcafee.com/us/solutions/compliance/index.aspx which provides a comprehensive view on this subject, both for the US and globally. The list is fairly long, especially when you look at the global picture. We don’t expect this list to shrink anytime soon. The drivers in the US, at least the key ones, are state privacy laws, PCI and HIPAA.

 

For those of you that don’t have time to wade through the website above, here is some background. McAfee provides several products that when used together can help you achieve compliance quickly. Most regulations require you to secure and limit access to sensitive and personally identifiable data. McAfee’s encryption products can help address many of the compliance requirements quickly. With regard to McAfee’s Endpoint Encryption solutions specifically, they are designed to meet the requirements of the Advanced Encryption Standard (AES) specification. AES has been adopted by the U.S. government, including the National Security Agency (NSA) for top secret information, and is now used worldwide. AES is commonly utilized to help meet the requirements of FIPS, HIPAA and PCI DSS compliancy. The McAfee Endpoint Encryption solution is FIPS 140-2 and Common Criteria EAL2+ certified (with ePO v4.6) for the Intel Advanced Encryption Standard – New Instructions (AES-NI) implementation. The AES-NI implementation is offered with Intel i5 and i7 processors.

 

You probably already know and should be aware that the use of McAfee Endpoint Encryption solutions do not automatically guarantee compliancy or certify compliancy.  IT departments should enlist the services of 3rd party compliancy auditing services for this. Below is some background information that may be useful to those needing a bit more info on the subject.

 

 

AES/NIST

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is included in the ISO/IEC 18033-3 standard. A related, often referenced, doc is NIST 800-53 - Recommended Security Controls for Federal Information Systems. Refer to www.nist.gov

 

Intel AES-NI

Intel® AES-NI is a new encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in the Intel® Xeon® processor family and the Intel® Core™ processor family. Refer to(1)  www.intel.com/content/www/us/en/architecture-and-technology/advanced-encryption- standard--aes-/data-protection-aes-general-technology.html?wapkw=aes and (2) Intel’s “Securing the Enterprise with Intel® AES-NI” White Paper http://www.intel.com/content/dam/doc/white-paper/enterprise-security-aes-ni-whit e-paper.pdf

 

FIPS 140-2  Federal Information Processing Standard (FIPS) 140-2 Encryption Requirements. FIPS 140-2 is the mandatory standard for cryptographic-based security systems in computer and telecommunication systems (including voice systems) for the protection of sensitive data as established by the Department of Commerce in 2001. McAfee Endpoint Encryption is FIPS 140-2 and Common Criteria certified for the Intel Advanced Encryption Standard – New Instructions (AES-NI) implementation. Refer to http://csrc.nist.gov/

 

Common Criteria 

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements. Common Criteria is used as the basis for a Government driven certification scheme and typically evaluations are conducted for the use of Federal Government agencies and critical infrastructure.          

http://www.niap-ccevs.org/cc-scheme/st/vid10486/

 

HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA):A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv)). Refer to www.hhs.gov/

PCI-DSSThe Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Refer to www.pcisecuritystandards.org/

 

Partial List of Related Areas and Programs in the US

  • Federal Risk and Authorization Management Program (FedRAMP)
  • The Federal Financial Institution Examination Council (FFIEC) Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.
  • HITECH
  • Health Information Trust Alliance (HITRUST) is the collaboration of healthcare, technology, and information security industry leaders to ensure the safe exchange of information between healthcare-related organizations.
  • Common Security Framework (CSF), a certifiable framework that can be used by any organization that creates, accesses, stores, or exchanges personal health and financial information.
  • Sarbanes-Oxley Act7 (SOX): for Financial info and related ISO/IEC 27002 (an information security standard) deļ¬nes best practices for SOX-related security controls and explicitly suggests the use of encryption.
  • Gramm-Leach-Bliley-Act and the Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
  • Security Breach Information Act  Enactment of a requirement for notification to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.