Although most employees use network or cloud folders to back up business documents, some employees may back up files locally on their devices (computer, tablet, etc.), sometimes for convenience purposes (teleworking, business travel, etc.).
Threats targeting organizations are pervasive and many recent incidents, such as the loss or theft of computer equipment, represent a risk to information security for many organizations. Based on this risk, a growing number of businesses are deciding to implement IT security controls to ensure the confidentiality of locally stored data for this type of equipment.
Some questions arise for any organization wishing to protect itself against threats associated with the theft or loss of computer equipment containing sensitive information:
- What is the target and what device do we want to protect?
- What solution can be used to protect against real threats for this type of computer equipment?
- What IT controls are required in terms of information security?
- Are the defined safety objectives aligned with industry best practices?
Apprehended in a broad manner, the target concerns all computer equipment with which an employee carries out professional activities. The latter can be provided by the employer or employee.
For organizations that authorize the use of personal equipment (BYOD), it will be necessary to integrate the personal equipment used in the workplace into their security approach.
The most frequently used work equipment likely to be stolen or lost in the workplace are laptops. In order to protect this type of equipment, most organizations opt for hard disk encryption. This protection will prevent unauthorized persons from accessing the contents of stolen computer equipment.
Chapter 10 of ISO 27002:2013 covers the subject of cryptography in general and proposes two main measures, the first relating to the policy for the use of cryptographic measures while the second addresses the effective management of cryptographic keys to ensure the confidentiality and integrity of information.
Organizations wishing to implement IT security control for hard disk encryption in alignment with this standard should select the necessary controls to ensure that effective IT security is in place and meets the organization’s security expectations.
Among the security recommendations proposed in Chapter 10, three can be associated to hard disk encryption for proper design and implementation.
- The use of a recognized encryption technique to protect data transported on removable devices using a media (ref. 10.1.1c)
- Defining frameworks for effective key management, including methods to protect encryption keys and recover encrypted information in the event of key loss, compromise or damage (ref.: 10.1.1.1d)
- Backup, protection and use of cryptographic keys (ref. 10.1.2d).
The computer equipment used in the workplace most of the time contains sensitive data and hard disk encryption is one of the best measures to protect it. To ensure the operational effectiveness of encryption, the security department within organizations must deploy a technical solution with a list of IT security controls and guidelines to address the measures mentioned in Chapter 10 of ISO 27002. The following is a list of recommendations to consider:
- Ensure that encryption is applied to all computers used to perform professional activities. At a minimum, the deployed encryption solution should synchronize with the list of computers registered with the domain controller to cover the entire fleet of professional computers. Synchronization ensures that any computers added to the domain controller will be automatically encrypted. Any encrypted computer must have an agent installed to communicate with the administration and encryption server.
- Ensure the continuous availability of recovery keys, automatic and real-time storage of encryption keys in two different locations (e.g., a SQL database and the domain controller). Make backup copies at a specified frequency to allow keys to be restored in the event of loss, compromise or damage to keys.
- Protect keys from accidental or unauthorized access, modification, loss or deletion. Define roles and responsibilities as well as the list of stakeholders. Develop the necessary procedures to ensure the proper functioning and security of the encryption solution. These procedures must be made available to all relevant stakeholders and the privileges and accesses that must be approved by the Chief Executive Officer.
There are several information securities challenges in a dynamic business environment. The principle of hard disk encryption is a security technique that mitigates the risks resulting from loss or theft of computers.
However, to ensure the operational effectiveness of the solution, cryptographic solutions alone cannot meet all information protection needs. Other IT controls such as the automatic storage mechanism, availability of backup copies, allocation and management of access rights, etc. must also be implemented.