myctrl.tools
Compare

SC-28(2)Offline Storage

>Control Description

Remove the following information from online storage and store offline in a secure location: organization-defined information.

>Cross-Framework Mappings

SCF

BCD-11
Compare
CRY-05.2
Compare

>Supplemental Guidance

Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of offline storage?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-28(2)?

Technical Implementation:

  • How is offline storage technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that offline storage remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-28(2)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.