WinZip proposes two kinds of encryption: strong AES encryption and the legacy Zip 2.0 encryption. Please be sure to use AES only (128-bit and 256-bit AES are supported).
There is also a WinZip Enterprise version which is FIPS 140-2 compliant.
The key question is: which kind of data will you exchange via zip files? My advice is to discuss this topic with your internal auditor / CISO.
Keep also in mind that the password used to encrypt the zip files must be strong enough.
Dec 24th 2015
1 year ago
|A "strong enough" password means the time to brute force the password must exceed the lifetime of the data. If your data has a usable life of two weeks, like a forthcoming earnings release that will soon go public, you're probably OK. If it's payment card data and the latest card expires four years from now, your password needs to outlast all current and upcoming methods of brute-forcing including GPUs and cloud resources.||
Jan 11th 2016
1 year ago
Since you're asking in the Auditing forum, I'll assume that you're an auditor. There are various aspects to consider. You would first have to determine whether a current, approved Information Security policy exists and satisfies all applicable regulatory requirements. If so, does the policy specifically allow or prohibit it's use? If it does not specifically address it, your evaluation should include:|
o Where does the communicated data fall in the organization's data classification hierarchy?
o Does winzip meet applicable encryption requirements?
o Do the passwords used satisfy the organization's InfoSec policy?
o How is the password communicated?
o Are there effective controls over who will receive the data/password?
o Are there reasonable, available alternatives that are more secure?
If the version of winzip provides sufficient encryption strength for the data, the passwords are sufficiently complex, the passwords are communicated out-of-band, and there are effective controls around who receives the data and password, winzip could be considered acceptable.
Jan 23rd 2016
1 year ago
|thank you for answer||
Aug 17th 2016
8 months ago