6.What A Good Policy Includes: The security policy should outline what company data should be encrypted, how it should be encrypted (64-bit, 128-bit, etc.), as well as spell out who has access rights to the encryption key(s). Similarly, the security policy should include details about passwords, including how often they should be changed and securing the password (i.e., no notes taped to the desktop).
By encrypting all sensitive data, a company doesn’t lose more than a wireless device if a laptop, PDA, etc., is stolen or gets misplaced. This also helps protect data on movable media, like tapes, as well as data in stationary company systems, like servers and mainframes. For example, if ChoicePoint or Bank of America had encrypted their data the recent security breaches would have been a non-issue, Conorich points out.