SC-28.1: Cryptographic Protection

Statement

• Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on system components or media : information .

  • • Guidance:

      Organizations should select a mode of protection that is targeted towards the relevant threat scenarios.

      Examples:

      A. Organizations may apply full disk encryption (FDE) to a mobile device where the primary threat is loss of the device while storage is locked.

      B. For a database application housing data for a single customer, encryption at the file system level would often provide more protection than FDE against the more likely threat of an intruder on the operating system accessing the storage.

      C. For a database application housing data for multiple customers, encryption with unique keys for each customer at the database record level may be more appropriate.