<P> Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption . Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption . Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage . </P> <P> Cryptography provides information security with other useful applications as well including improved authentication methods, message digests, digital signatures, non-repudiation, and encrypted network communications . Older less secure applications such as telnet and ftp are slowly being replaced with more secure applications such as ssh that use encrypted network communications . Wireless communications can be encrypted using protocols such as WPA / WPA2 or the older (and less secure) WEP . Wired communications (such as ITU ‐ T G.hn) are secured using AES for encryption and X. 1035 for authentication and key exchange . Software applications such as GnuPG or PGP can be used to encrypt data files and Email . </P> <P> Cryptography can introduce security problems when it is not implemented correctly . Cryptographic solutions need to be implemented using industry accepted solutions that have undergone rigorous peer review by independent experts in cryptography . The length and strength of the encryption key is also an important consideration . A key that is weak or too short will produce weak encryption . The keys used for encryption and decryption must be protected with the same degree of rigor as any other confidential information . They must be protected from unauthorized disclosure and destruction and they must be available when needed . Public key infrastructure (PKI) solutions address many of the problems that surround key management . </P> <P> The terms reasonable and prudent person, due care and due diligence have been used in the fields of Finance, Securities, and Law for many years . In recent years these terms have found their way into the fields of computing and information security . U.S.A. Federal Sentencing Guidelines now make it possible to hold corporate officers liable for failing to exercise due care and due diligence in the management of their information systems . </P>

Us department of defense added auditability as one of the desirable information security properties