Sensitive information, whether:
- FOUO documents being handled for the government
- PII during hiring and staffing
- Proprietary or confidential company information
- Competition sensitive intelligence
- Or any other protection required data (PRD)
Require special use and handling of digital communications. Unfortunately, a lack of education and familiarity with available methods leads to (1) data either being exchanged using insecure means, or (2) a breakdown in communication.
Sharing this information without protection has significant implications under both criminal and civil law, as I’ve discussed before relating to issues of negligent entrustment. Even so, it is quite often an area of Information Assurance (IA) delegated to the lowest levels to implement and follow from a policy perspective. Given that breach could be a public-relations nightmare, and that statutory liability could be financially destructive to a firm; it’s essential that data is protected at rest, and while in transit.
Truthfully, among the methods available for dealing with risk (i.e. insurance, transference, mitigation, avoidance), the simplest in this regard is avoidance. “Just don’t send PRD”. However, a knee-jerk reaction not share sensitive data can be problematic to the operation of many organizational programs, and an intentional breakdown of the ability to engage in transparent operation is not only inefficient, but can signal larger communication issues likely to exist.
Too frequently, I’ve encountered the assumption that encrypted mail cannot be exchanged between unrelated organizations, though it really is a simple process that seems extraordinary. I think this is due in part to the lack of education we provide as part of corporate/government/etc. cyber-awareness programs, but is certainly due to the fact that the first step in the process (the public key exchange) is typically automated and transparent. Since the advent of Kerberos, however, virtually every directory structure with a modern authentication uses some form of certificate authority (CA), and having neither PKI certificates available within an organization, or certificates signed by an external CA (eCA) borders on negligence.
This paper provides a short guide to address this gap, and assumes one of the most common scenarios within the enterprise; the use of a public key infrastructure and Microsoft Outlook. Though certainly relevant to contractors and the DoD, it remains applicable anywhere that meets these two criteria.