DATA-03

Is the storage of sensitive data encrypted using security protocols/algorithms (e.g., disk encryption, at-rest, files, and within a running database)?

Explanation

This question is asking whether your organization encrypts sensitive data when it is stored (at rest) using appropriate security protocols or algorithms. Encryption at rest means that data is encrypted when it is stored on disk, in databases, or in other storage systems, as opposed to when it is being transmitted or actively processed. The question specifically mentions several contexts where encryption should be applied: - Disk encryption: Full-disk or volume-level encryption that protects all data on a storage device - At-rest encryption: General term for encrypting stored data - File encryption: Encrypting individual files or groups of files - Database encryption: Encrypting data within a running database This question is being asked in a security assessment because unencrypted sensitive data is vulnerable to unauthorized access if storage media is physically stolen, improperly decommissioned, or if an attacker gains access to the storage systems. Encryption adds a critical layer of protection by making the data unreadable without the proper decryption keys. To best answer this question: 1. Identify all locations where sensitive data is stored in your environment 2. Document the encryption methods used for each storage location 3. Specify the encryption algorithms and key strengths (e.g., AES-256) 4. Mention any compliance standards the encryption methods adhere to (e.g., FIPS 140-2) 5. Describe key management practices 6. If any sensitive data is not encrypted, explain why and what compensating controls are in place

Example Responses

Example Response 1

Yes, we implement comprehensive encryption for all sensitive data at rest Our approach includes: (1) Full-disk encryption using BitLocker (Windows) and LUKS (Linux) with AES-256 encryption on all servers and endpoints that process sensitive data; (2) Database-level encryption using Transparent Data Encryption (TDE) for all SQL Server and Oracle databases containing sensitive information; (3) Application-level encryption for specific sensitive fields (e.g., SSNs, credit card numbers) using AES-256 before storing in databases; (4) Object-level encryption for all sensitive data stored in our S3 buckets and Azure Blob storage; (5) All encryption keys are managed through AWS KMS and Azure Key Vault with strict access controls and regular key rotation Our encryption implementations comply with FIPS 140-2 requirements and are regularly tested as part of our security assessment program.

Example Response 2

Yes, we encrypt all sensitive data at rest using industry-standard protocols For our cloud-based infrastructure in AWS, we utilize AWS-managed encryption services including: (1) EBS volume encryption for all storage volumes attached to EC2 instances; (2) S3 server-side encryption with KMS-managed keys (SSE-KMS) for all object storage; (3) RDS encryption for all database instances, with automated backup encryption; (4) DynamoDB encryption at rest for NoSQL data For our on-premises systems, we implement: (1) Self-encrypting drives (SEDs) in our data center servers; (2) PGP encryption for sensitive files before backup; (3) Column-level encryption in our data warehouse for PII fields All encryption uses AES-256 algorithms at minimum, and our key management follows a hierarchical model with master keys stored in HSMs that are FIPS 140-2 Level 3 certified.

Example Response 3

No, we do not currently encrypt all sensitive data at rest While we have implemented disk encryption on our employee laptops and workstations using BitLocker, our primary production database does not have encryption enabled at the database level We recognize this as a security gap and have compensating controls in place, including: (1) Strict network segmentation with the database servers in a protected network segment; (2) Enhanced access controls requiring multi-factor authentication for database administrator access; (3) Comprehensive database activity monitoring and alerting We have a project scheduled to implement Transparent Data Encryption across all production databases within the next 90 days, with a completion date of [specific date] This project is tracked in our security roadmap with executive visibility and has allocated budget and resources.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron