3.6
IG1 IG2 IG3

Encrypt Data on End>User Devices

Control Group: 3. Data Protection
Asset Type: Devices
Security Function: Protect

Description

Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)
Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription
Forcepoint DLP Forrester Wave Strong Performer, Data Security 2023

Data-centric security platform with DLP across endpoint, network, cloud, and email with risk-adaptive protection

Forcepoint · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Data Theft from Lost or Stolen Laptop

Confidentiality

An unencrypted laptop is stolen or lost during travel, exposing all stored sensitive data including credentials, client records, and intellectual property to the thief.

Forensic Data Extraction from Seized Devices

Confidentiality

Adversaries with physical access to unencrypted end-user devices extract sensitive data by booting from external media or removing storage drives for offline analysis.

Insider Data Theft via Physical Access

Confidentiality

A departing or malicious employee accesses unencrypted data on their device offline, bypassing network-based access controls and DLP tools.

Vulnerabilities (When Safeguard Absent)

Unencrypted End-User Device Storage

Without full-disk encryption on laptops, desktops, and mobile devices, physical access to the device grants unrestricted access to all stored data.

No Enforcement of Encryption on BYOD Devices

Personal devices accessing enterprise data lack mandatory encryption policies, leaving sensitive data unprotected if the device is lost, stolen, or compromised.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Encryption Policy
Control 3
Acceptable Encryption Standards
Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.3 Configure Data Access Control Lists
3.4 Enforce Data Retention
3.5 Securely Dispose of Data
3.7 Establish and Maintain a Data Classification Scheme
3.8 Document Data Flows
3.9 Encrypt Data on Removable Media
3.10 Encrypt Sensitive Data in Transit
3.11 Encrypt Sensitive Data at Rest
3.12 Segment Data Processing and Storage Based on Sensitivity
3.13 Deploy a Data Loss Prevention Solution
3.14 Log Sensitive Data Access
3.5 3.7