Encryption is encoding information so that it can’t be used by unauthorized or unintended users.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
In modern cloud infrastructure and devices, encryption is often applied by default. This includes data-at-rest in production databases, on hard disks of laptops and removable media, and data-in-transit through email systems, website access, and connections to web-based applications and the cloud infrastructure.
In standards like ISO 27001, it’s important to have a Cryptographic Policy. In others like SOC 2 and the Consumer Data Right (CDR), the encryption practices are important but a policy is not a necessity. Whether it’s formalised in a policy or just applied in practice, the following areas should be considered.
Data-at-rest in production databases with any sensitive data, should be encrypted. This is a toggle on/off feature in modern cloud infrastructure such as Amazon S3. It is not applied by default in contrast to Google Cloud Platform, which is.
User devices used for company purposes should be encrypted. Hard disk encryption on laptops are applied by default in MacOS Firevault or Windows Bitlocker and on iOS or Android mobile devices. This encryption can be toggled and may not be applied by default to older versions so it’s important to check and require employees to ensure encryption is applied.
Encryption in transit protects data if communications are intercepted when it’s transmitted between the cloud platform and your site or devices, and between services.
Encrypting Wifi for your local area network and trusted networks prevents spying and unauthorised interception of data. Encryption protocols like WPA2 should be applied for any Wifi networks you use for business purposes.
The CDR Perspective
The CDR requires that encryption methods are utilised to secure CDR data at rest by encrypting file systems, end-user devices, portable storage media and backup media. Cryptographic keys are securely stored, backed-up and retained. Appropriate user authentication controls (consistent with control requirement 1) are in place for access to encryption solutions and cryptographic keys.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.