CEK-03: Data Encryption

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: EKM-03: Sensitive Data Protection, EKM-04: Storage and Access.

Control Statement

Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.

Implementation Guidance

Data protection/data encryption is the process of changing plaintext into ciphertext using a cryptographic algorithm and key.

  1. Organizations should be able to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
  2. Data at rest involves databases, end-user workstations, and file servers.
  3. Data in transit involves system interfaces, public networks, and electronic messaging.
  4. Cryptography provides data protection: confidentiality, integrity, availability, and source authentication.
  5. Cryptographic key management system security policies rules need to protect the confidentiality, integrity, availability, and source authentication of all keys, algorithms, and metadata.
  6. Key management technology and processes should be NIST FIPS validated and/or National Security Agency (NSA)-approved by other relevant international standardization bodies.
  7. Approved algorithms and key sizes should reside in the CKMS.
  8. Quantum-resistant encryption is developing quickly, and it is recommended that this technology is closely monitored so the organization is not exposed.

Auditing Guidance

  1. Identify data flows within the organization that are in-transit.
  2. Identify data storages within the organization that are at-rest.
  3. Confirm that the identified data flows and data storages have been protected by an appropriate cryptographic algorithm aligned to cryptography, encryption, and key management policy and procedures.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.