Encryption at rest
Demonstrate that all data classified as sensitive or above is encrypted when stored at rest using industry-standard algorithms, that encryption keys are managed separately from encrypted data, and that cryptographic controls remain enforced across storage tiers and backup media.
Description
What this control does
Encryption at rest protects data stored on persistent media (disk, tape, object storage, databases) by transforming it into ciphertext using cryptographic algorithms, ensuring confidentiality even if physical media is compromised or accessed without authorization. This control typically involves full-disk encryption (FDE), file-system encryption, database transparent data encryption (TDE), or application-level encryption with centralized key management systems (KMS) maintaining cryptographic keys separately from encrypted data. It mitigates unauthorized data disclosure from theft, improper disposal, snapshot exposure, or insider access to storage infrastructure.
Control objective
What auditing this proves
Demonstrate that all data classified as sensitive or above is encrypted when stored at rest using industry-standard algorithms, that encryption keys are managed separately from encrypted data, and that cryptographic controls remain enforced across storage tiers and backup media.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive data through physical theft of servers, laptops, hard drives, or backup tapes
- Data exposure via improper disposal or decommissioning of storage media without secure erasure
- Insider threats from system administrators or cloud operators accessing raw storage volumes or snapshots without application-layer authorization
- Regulatory non-compliance resulting in fines or legal liability for exposing personally identifiable information (PII), protected health information (PHI), or payment card data
- Cloud provider breaches or misconfigured object storage buckets exposing unencrypted customer data to external attackers
- Data exfiltration through compromised hypervisor or storage infrastructure without detection due to plaintext visibility
- Loss of customer trust and reputational damage following public disclosure of unencrypted data breach
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy and inventory of systems storing data classified as sensitive, confidential, or restricted.
- Select a representative sample of production systems, databases, file servers, and cloud storage buckets containing in-scope data across all business units and environments.
- For each sampled system, inspect configuration settings to verify encryption is enabled (e.g., BitLocker status, LUKS configuration, AWS EBS encryption flags, Azure Storage Service Encryption, database TDE status).
- Request cryptographic configuration details including algorithm type, key length, encryption mode, and verify they meet organizational standards (e.g., AES-256, FIPS 140-2 validated modules).
- Examine key management architecture to confirm encryption keys are stored separately from encrypted data, preferably in a hardware security module (HSM) or dedicated KMS with access controls.
- Review access logs for key management systems to verify that key retrieval is restricted to authorized service accounts and that administrative access is logged and monitored.
- Test a backup or snapshot to confirm encryption persists through backup processes and that backup media is also encrypted using separate or wrapped keys.
- Interview system administrators to validate procedures for key rotation, handling of encryption failures, and process for secure media disposal or decommissioning.
Where this control is tested