Is the role of encryption key for information governance?

Excerpt: It is essential to understand that with long term storage secure formats does not in themselves prevent user error or data corruption.

About the author: Steve was one of the authors of ISO/IEC 17799 (formerly BS7799) amongst other international security standards and used to actively contribute to standards development including ISO/IEC JTC1/SC3.  He has advised … Read more

February 17, 2022
by Steve Mathews

Information governance (IG) is all about the long-term confidentiality and trustworthiness of personal data that must be stored and processed in accordance with the IG policies that apply to those data.  The use of a long-term document format aids the process of data protection (encryption) by allowing verification of the document form and format along with the data.

To enforce specific policies, you need to examine DRM to see how you can incorporate controls that support todays confidentiality requirements (preventing editing, printing, etc.) while supporting the long-term need for supervisory access.

Underpinning any cryptographic scheme there is always a key management scheme that links cryptographic keys to individuals and to documents.  Having an automated key management service rather than one that users have complete control over, prevents user maladministration (keys being shared) or lost, by automating the security functionality.  This helps preserve the long-term accessibility of confidential information – that is information that must be stored securely.

However, it is essential to understand that with long term storage even though you are using a secure format, that of itself does not prevent user error or deliberate corruption of data.  In many cases physical controls are also required and are often considered to be just as important as encryption because they have to survive and be verifiable.  No amount of cryptography prevents backup devices from being damaged (water, fire, electricity, etc.).  Encryption will help prevent theft of confidential data but is only part of the solution of IG.