Full-disk encryption on every workstation
Demonstrate that all organizational workstations have full-disk encryption enabled, properly configured with strong cryptographic algorithms, and centrally managed to prevent unauthorized access to data at rest.
Description
What this control does
Full-disk encryption (FDE) protects all data stored on workstation hard drives or solid-state drives by encrypting entire volumes using algorithms such as AES-256. When properly implemented, FDE requires pre-boot authentication or secure key management (e.g., TPM-based unlocking), rendering data unreadable if a device is lost, stolen, or physically accessed without authorization. This control is foundational for protecting sensitive organizational data at rest on endpoint devices, particularly mobile workstations that leave secure premises.
Control objective
What auditing this proves
Demonstrate that all organizational workstations have full-disk encryption enabled, properly configured with strong cryptographic algorithms, and centrally managed to prevent unauthorized access to data at rest.
Associated risks
Risks this control addresses
- Theft or loss of a workstation resulting in unauthorized access to unencrypted sensitive data, intellectual property, or credentials stored locally
- Physical compromise of devices during travel, maintenance, or disposal leading to data exfiltration without network detection
- Insider threats involving physical removal of storage media from workstations to bypass network security controls
- Forensic recovery of deleted or residual data from decommissioned or repurposed workstations that were not encrypted
- Regulatory non-compliance and breach notification obligations triggered by loss of unencrypted devices containing personal or protected health information
- Exposure of cached credentials, browser passwords, or application secrets stored in operating system files accessible via offline attacks
- Supply chain interdiction or tampering with devices in transit that could allow covert data collection from unencrypted drives
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all organizational workstations including desktops, laptops, and mobile devices from asset management systems or endpoint management platforms.
- Request and review the organization's full-disk encryption policy document, including approved encryption software, key management procedures, and pre-boot authentication requirements.
- Export configuration reports from the central endpoint management console (e.g., Microsoft Intune, Jamf Pro, Tanium, CrowdStrike) showing encryption status, algorithm, and recovery key escrow for all enrolled workstations.
- Select a stratified random sample of at least 15-20 workstations representing different departments, operating systems, and device types for hands-on validation.
- Perform physical or remote inspection of sampled workstations to verify encryption status using native tools (BitLocker status, FileVault status, LUKS status) and confirm the algorithm meets organizational standards.
- Verify that encryption recovery keys are escrowed in a secure, centralized repository such as Active Directory, Azure Key Vault, or a dedicated key management system with appropriate access controls.
- Test pre-boot authentication or TPM-based unlocking on at least three sampled devices by restarting them and observing authentication prompts or automatic unlocking behavior.
- Review exception logs and remediation records for any workstations identified as non-compliant to confirm timely resolution or documented risk acceptance with appropriate approval.
Where this control is tested