|
Hi, WinZip proposes two kinds of encryption: strong AES encryption and the legacy Zip 2.0 encryption. Please be sure to use AES only (128-bit and 256-bit AES are supported). There is also a WinZip Enterprise version which is FIPS 140-2 compliant. The key question is: which kind of data will you exchange via zip files? My advice is to discuss this topic with your internal auditor / CISO. Keep also in mind that the password used to encrypt the zip files must be strong enough. |
Xme 390 Posts ISC Handler |
| Reply Quote |
Dec 24th 2015 2 years ago |
| A "strong enough" password means the time to brute force the password must exceed the lifetime of the data. If your data has a usable life of two weeks, like a forthcoming earnings release that will soon go public, you're probably OK. If it's payment card data and the latest card expires four years from now, your password needs to outlast all current and upcoming methods of brute-forcing including GPUs and cloud resources. |
Anonymous |
| Reply Quote |
Jan 11th 2016 2 years ago |
|
Since you're asking in the Auditing forum, I'll assume that you're an auditor. There are various aspects to consider. You would first have to determine whether a current, approved Information Security policy exists and satisfies all applicable regulatory requirements. If so, does the policy specifically allow or prohibit it's use? If it does not specifically address it, your evaluation should include: o Where does the communicated data fall in the organization's data classification hierarchy? o Does winzip meet applicable encryption requirements? o Do the passwords used satisfy the organization's InfoSec policy? o How is the password communicated? o Are there effective controls over who will receive the data/password? o Are there reasonable, available alternatives that are more secure? If the version of winzip provides sufficient encryption strength for the data, the passwords are sufficiently complex, the passwords are communicated out-of-band, and there are effective controls around who receives the data and password, winzip could be considered acceptable. |
TrustedAdvisor 2 Posts |
| Reply Quote |
Jan 23rd 2016 2 years ago |
| thank you for answer |
baltlokis 1 Posts |
| Reply Quote |
Aug 17th 2016 1 year ago |
| A "strong enough" password means the time to brute force the password must exceed the lifetime of the data. If your data has a usable life of two weeks, like a forthcoming earnings release that will soon go public, you're probably OK. If it's payment card data and the latest card expires four years from now, your password needs to outlast all current and upcoming methods of brute-forcing including GPUs and cloud resources. |
nhanhieulogo 1 Posts |
| Reply Quote |
May 24th 2018 3 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!
