CRY-06—Encryption of Data at Rest
>Control Description
Theme
Type
Policy/Standard
Cryptographic Management Policy>Implementation Guidance
1. Ensure that Organization's Data Classification and Handling Standard and Data Encryption Standard includes requirements for encrypting data at rest. 2. Where data at rest shall be encrypted as per Data Classification and Handling Standard, ensure the following: a. Ensure encryption is enabled along with type of encryption algorithm being used as applicable (e.g. for AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases). b. Ensure that only strong encryption algorithms mandated by Organization Cryptography standard are in use where applicable. c. Establish a process to periodically check the list of all cloud storage resources and determine whether encryption was appropriately applied as applicable.
>Testing Procedure
1. Inspect Organization's Data Classification and Handling Standard and Cryptography Standard to determine whether requirements for encrypting restricted data at rest have been defined. 2. Obtain confirmation from teams that storage of data is in place. For services storing restricted data at rest, obtain and inspect the following: a. List of all databases/storage locations (AWS/Azure Databases, On prem databases, etc.) where data is stored at rest. b. For all the above locations, obtain evidence showing that encryption is enabled along with the type of encryption algorithm being used as applicable (e.g. for AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases) to ensure that only strong encryption algorithms mandated by Organization Cryptography standard are in use where applicable. c. Obtain the list of all cloud storage resources and determine whether encryption was appropriately applied as applicable.
>Audit Artifacts
>Framework Mappings
Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.
Ask AI
Configure your API key to use AI features.