ACS Email Encryption

© Affiliated Computer Services, Inc. (ACS) 2010

ACS Email Encryption

© Affiliated Computer Services, Inc. (ACS) 2009Slide 2

Project Sponsors

Chris Leach, Chief Information Security Officer Kevin R. Mitchell, Director of Encryption Services David McLaughlin, Manager Boundary Services Joan Burns, Program Manager for Encryption Services Business Information Security Officer


Agenda

Overview of ACS Email Encryption Automated Email Encryption Rollout Examples of how Email Encryption Works Now Example of how Email Encryption Works After What business units need to do Impact to clients


ACS Email Encryption Overview

Encryption of email is currently a manual process Users must place [PGP] in subject line ACS employees are sending 5.4 Million messages per week

Consequences of Unencrypted Email Sent as plain text over the internet

– Anyone who can sniff network traffic can read it causing the data to be at risk

If accidentally sent to incorrect person could constitute a reportable breach


Unencrypted Email Consequences

Below is an example of several Credit Card numbers which were accidentally sent unencrypted.

The average data breach cost is continuing to rise, growing 43% since 2005 to an average $197 per data record compromised. This is a cost on average of $6.3 million per breach. – Ponemon Institute


ACS Encryption Services

What has already been done to help? Implemented a solution to encrypt email using [PGP] in subject

line What are we doing to make things easier?

Implementing scanning of sensitive data to reduce risk Added Secure PDF delivery feature


How Encrypted Email works now…

Email is sent with [pgp] in the subject line



Email is received by Client



Email contains a link to the Web portal



Client logs onto the Web Portal and creates a passphrase



Email is reviewed on the Web Portal


How Encrypted Email will work after the Rollout of Automated Email Encryption

ACS user will continue to send email with sensitive information using [PGP] in the subject line

Initially customer will receive an email with link to set up a passphrase so they may receive the email sent from ACS

– After the client receives their first email they will not be required to setup a passphrase again

After Customer enters passphrase they will receive the original email that was sent by ACS, as a secure PDF. The PDF will be encrypted and can be opened using the passphrase they entered.

Any subsequent emails with [PGP] in the subject line will go directly to the customer as encrypted PDF which the customer can open using the passphrase they set up.


How Encrypted Email will work after

Email is sent but the ACS Employee forgets to put [pgp] in the subject line



Client receives the email



Client clicks on the pdf to view the email


Client enters their previously defined passphrase




The email message is displayed along with any attachments


Advantages to the new delivery method

Secure PDF delivery will allow our customers to get their email locally to their mailbox

This allows each client to keep a copy of the encrypted email on their local computer for review each time they need to refer back to it.

Only login once to setup passphrase Once the initial passphrase has been setup they will not need to

login to the web portal unless they need to respond to the email securely.


What Business Units Need To Do

The appropriate ACS representative for each client, vendor, or business partner must:

Inform clients, vendors, or business partners of the upcoming change

Communicate any rollout exceptions (client domains or ACS email addresses) to Pat Elledge including:

– Clients, vendors, or business partners who do not want to receive encrypted email from ACS

– Any ACS email addresses that need to be exempted from the encryption rollout (ex: system automated process)


Impact to Clients

Minimal impact as follows:

First Time Users:

First time Clients simply need to click on a link in the secured email and initially set up a passphrase on the web portal.

Existing Users

The encrypted email appears in their mailbox as a pdf attachment. The user will click on the attachment and enter their previously created passphrase.

Note: There is a detailed Recipient Guide available for reference.


Questions

Documents

ACS Email Encryption