3.11: Encrypt Sensitive Data at Rest

CSF v1.1 References:

PR.DS-1

PF v1.0 References:

PR.DS-P1

Threats Addressed:

Tampering
Information Disclosure

Group:

Incorporates the following controls from the previous version: 14.8: Encrypt Sensitive Information at Rest, 16.4: Encrypt or Hash all Authentication Credentials.

Control Statement

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]

Control Statement

Related Controls

NIST Special Publication 800-53 Revision 5

NIST Special Publication 800-171 Revision 2

NIST Special Publication 800-53 Revision 4