On Wed, May 22, 2013 at 01:30:47PM PDT, Steven Kurylo spake thusly: > How are you encrypting your server's disks, when they contain sensitive > information?
For servers I generally don't do disk encryption. There are a couple of servers which are encrypted and I enter the key manually on boot but this obviously isn't scalable. > Are you doing full disk? Yes. > With auto boot? Or do you use Mandos, or similar? Or enter the password > manually for each machine? The latter, when servers are encrypted. > Or are you not bothering with encryption, and relying on your physical > security instead? Mostly relying on physical security and a media management policy which requires physical destruction of disks. > Though for data which falls under hipaa, I understand it must be encrypted > on the server's disk. Not true. If you know otherwise please cite the appropriate federal regulation from 45 CFR § 164. HIPAA data being transported off-site needs to be encrypted although that isn't specifically spelled out. The HIPAA regs really don't specify any particular security controls but mostly just says: "Protect against any reasonably anticipated threats or hazards" - (45 CFR § 164.306(a)(2)) Details here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf -- Tracy Reed, RHCE Digital signature attached for your safety. Copilotco PCI/HIPAA/SOX Compliant Secure Hosting 866-MY-COPILOT x101 http://copilotco.com
pgpVb5mC_Mcxp.pgp
Description: PGP signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
