3.11: Encrypt Sensitive Data at Rest

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:


Info icon.

Incorporates the following controls from the previous version of the control set: 14.8: Encrypt Sensitive Information at Rest, 16.4: Encrypt or Hash all Authentication Credentials.

Control Statement

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]