> This also refers to NIST SP-800-111. > Thank you for the clarifications.
> > It looks more like if your data at rest is encrypted (ie server hard > > drives), you're better protected under the law from penalties. But it's > > not mandatory yet. But it sounds like I would want to encrypt my > > servers, unless the process is too onerous. > > You are assuming they mean server hard drives. They don't. Now don't get me > wrong, I'm not saying don't encrypt your servers. I'm just saying that > operationally speaking it is a PITA and won't protect you from the most > likely > threat: Someone gets access to the server while it is in operation when it > will > necessarily have the encrypted volume open. The general thought around here was we should encrypt servers when it was first discussed, however as I think about it more, I'm not sure if it's worth it either. There were a couple off-list emails also saying they don't use encryption on the servers - while it's a small sample size - that seems to be the consensus. Thank you everyone who gave the feedback. We'll be making a decision here in the next couple of weeks. Cheers -- Steven Kurylo
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
