CONS-03

Is the data encrypted (at rest) while in the consultant's possession?

Explanation

This question is asking whether data that is stored (at rest) by consultants is encrypted. Data at rest refers to information that is stored on physical devices (like laptops, servers, USB drives) or cloud storage rather than data that is actively moving through networks. Encryption at rest means converting this stored data into a coded format that can only be read with the proper decryption key, making it unreadable if unauthorized parties gain access to the storage media. This question is being asked in a security assessment because: 1. Consultants often handle sensitive client information outside the client's secure environment 2. Consultant devices (laptops, phones, etc.) are at higher risk of theft or loss due to travel and remote work 3. If unencrypted data is stolen or accessed inappropriately, it could lead to data breaches 4. Many compliance frameworks (GDPR, HIPAA, PCI DSS, etc.) require encryption of sensitive data The best way to answer this question is to: 1. Clearly state whether you do encrypt data at rest 2. Specify what encryption methods/standards are used (e.g., AES-256) 3. Describe which storage locations are encrypted (laptops, mobile devices, cloud storage) 4. Mention any exceptions where data might not be encrypted 5. Reference relevant policies that govern encryption practices

Example Responses

Example Response 1

Yes, all client data at rest is encrypted while in our consultants' possession We implement full-disk encryption using BitLocker (Windows) or FileVault (Mac) with AES-256 encryption on all consultant laptops and workstations Our mobile devices use native encryption capabilities (iOS/Android) For cloud storage, we exclusively use enterprise solutions with at-rest encryption (Microsoft OneDrive for Business with AES-256 encryption) Our data handling policy requires that consultants never store client data on unencrypted removable media We conduct quarterly audits to verify compliance with these encryption requirements.

Example Response 2

Yes, we maintain strict encryption protocols for all client data at rest Our consultants use company-issued devices with mandatory encryption: laptops use FIPS 140-2 validated full-disk encryption, and all mobile devices have hardware-level encryption enabled Our secure document repository (SharePoint Online) implements AES-256 bit encryption at rest For specialized analysis requiring local storage, we use encrypted virtual machines with encrypted virtual disks Our security team manages the encryption key lifecycle, and we maintain a centralized key management system with appropriate access controls This approach is documented in our Data Protection Policy, which all consultants must acknowledge annually.

Example Response 3

No, we do not currently encrypt all data at rest while in our consultants' possession While our enterprise cloud storage solutions (Google Workspace) provide encryption at rest, we do not enforce full-disk encryption on all consultant devices Our current policy recommends but does not require encryption on laptops We recognize this as a security gap and are implementing a phased approach to address it By Q3 of this year, we will deploy mandatory device management software that will enforce encryption on all company and personal devices used for client work In the interim, we mitigate risk by requiring consultants to use our encrypted cloud storage rather than local storage for sensitive client information.

Context

Tab: Case-Specific
Category: Consulting Services