Encrypting or scrambling data to assure confidentiality and integrity.

• Weak administration and procedures surrounding the all-important encryption keys can limit the effectiveness of this security measure.

• Document all procedures carefully.
• Keep public / private encryption keys safe.

• Encrypted information may be secure, but it may also prove to be inaccessible, even to authorised persons, where keys are poorly managed.

• The keys used to encrypt and decrypt must be held securely, but they must also be accessible when required. Introduce procedures which ensure the availability of the data when required by those so authorised.

• Processor capacity (overhead)is used by the process of encryption and decryption. Lack of available capacity could lead to the data being effectively 'unavailable' when actually needed.

• Only employ large scale encryption across entire systems where necessary.
• Determine which information is classified as sensitive, and whether it needs to be transmitted over insecure networks, such as the Internet. See Classifying Information and Data.
• Once the information has been encrypted, transmitted to its destination, and then decrypted, consider how the information should then be stored securely.

• In some countries, it is illegal to use ciphers; or the type of permissible cipher may be strongly regulated. This could result in unintentionally breaking the law where encrypted data is sent to such a country.

• Where necessary, seek legal opinion to confirm that the proposed encryption technique may be used between the organisations and countries in question.