Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
Explanation
Cryptographic controls are essential for protecting data at rest from unauthorized access or tampering.
Encryption converts data into an unreadable format that requires a key to decrypt, digital signatures verify the authenticity of data, and cryptographic hashes confirm data integrity by detecting changes.
These controls should be applied to files, databases, virtual machine images, containers, and other data storage systems based on sensitivity classification.
Evidence could include a data protection policy documenting cryptographic requirements, system configuration documentation showing encryption settings, or screenshots of encryption implementation in key systems (with sensitive information redacted).
Implementation Example
Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources
ID: PR.DS-01.223
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-at-rest are protected
Related questions
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?
- Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

