SC-28: Protection of Information at Rest

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Baselines:

  • Low

    N/A

  • Moderate
  • High
  • Privacy

    N/A

Previous Version:

Control Statement

Protect the [Assignment (one or more): confidentiality, integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Supplemental Guidance

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

Control Enhancements

SC-28(1): Cryptographic Protection

Baseline(s):

  • Moderate
  • High

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].

SC-28(2): Offline Storage

Baseline(s):

(Not part of any baseline)

Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].

SC-28(3): Cryptographic Keys

Baseline(s):

(Not part of any baseline)

Provide protected storage for cryptographic keys [Assignment: [Assignment: organization-defined safeguards] , hardware-protected key store].