3.11
IG2 IG3

Encrypt Sensitive Data at Rest

Control Group: 3. Data Protection
Asset Type: Data
Security Function: Protect

Description

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)
Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription
Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Database Breach Exposing Plaintext Records

Confidentiality

Attackers exploiting SQL injection or compromised database credentials access sensitive data stored in plaintext, immediately exfiltrating usable PII, PHI, or financial records.

Backup Media Theft with Unencrypted Data

Confidentiality

Server backups containing unencrypted sensitive data are stolen or improperly disposed of, providing attackers with complete access to historical sensitive records.

Vulnerabilities (When Safeguard Absent)

Sensitive Data Stored in Plaintext on Servers and Databases

Without at-rest encryption, compromising a server, database, or storage system grants direct access to all sensitive data without any additional barriers.

No Application-Layer Encryption for High-Value Data

Relying only on storage-layer encryption means that anyone with legitimate storage access (administrators, compromised service accounts) can read sensitive data.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Encryption Policy
Control 3
Acceptable Encryption Standards
Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.3 Configure Data Access Control Lists
3.4 Enforce Data Retention
3.5 Securely Dispose of Data
3.6 Encrypt Data on End>User Devices
3.7 Establish and Maintain a Data Classification Scheme
3.8 Document Data Flows
3.9 Encrypt Data on Removable Media
3.10 Encrypt Sensitive Data in Transit
3.12 Segment Data Processing and Storage Based on Sensitivity
3.13 Deploy a Data Loss Prevention Solution
3.14 Log Sensitive Data Access
3.10 3.12