AuditRubric
pr-ds-1 critical Protect / Data Security

The confidentiality, integrity, and availability of data-at-rest are protected

Data at rest is data stored on disks, in databases, in backups, and in object storage. Without encryption, anyone who gains physical or logical access to storage media can read that data directly. Encrypting data at rest means a stolen disk or a misconfigured S3 bucket does not automatically become a data breach.

Estimated effort: 6h
encryptiondata-at-restkmsstorage-security

Implementation steps

  1. 1

    Enable encryption at rest for all storage services

    Turn on server-side encryption for all databases, object storage buckets, block storage volumes, and backup targets. Use platform-managed keys as a baseline, then upgrade to customer-managed keys (CMK) for sensitive data.

    aws-kmsgoogle-cloud-kmsazure-key-vaulthashicorp-vault
  2. 2

    Encrypt developer and employee devices

    Enable full-disk encryption on all laptops and workstations. On macOS this is FileVault, on Windows it is BitLocker. Enforce this via your MDM so you can verify compliance and escrow recovery keys.

    jamfmicrosoft-intunekandji
  3. 3

    Manage encryption keys centrally with rotation

    Use a dedicated key management service rather than storing encryption keys alongside the data they protect. Configure automatic key rotation on at least an annual schedule for all customer-managed keys.

    aws-kmsgoogle-cloud-kmsazure-key-vaultvault
  4. 4

    Verify encryption coverage and document it

    Run a scan or use your cloud provider's compliance tooling to confirm that no storage buckets, volumes, or databases are unencrypted. Document the encryption status of each storage asset in your data inventory.

    aws-security-hubgoogle-security-command-centerwizlacework

Evidence required

Storage encryption configuration

Evidence that all storage services have encryption at rest enabled.

  • · AWS S3 bucket properties showing server-side encryption enabled
  • · RDS or Aurora encryption status screenshot
  • · GCP Storage bucket encryption settings screenshot

Device encryption status

MDM report confirming full-disk encryption is enabled on all managed devices.

  • · Jamf FileVault or BitLocker compliance report
  • · Intune device compliance report showing encryption status
  • · Kandji disk encryption configuration profile

Key management configuration

Evidence of centralized key management with rotation enabled.

  • · AWS KMS key rotation enabled screenshot
  • · Azure Key Vault key rotation policy
  • · Vault encryption-as-a-service configuration

Related controls

pr-ds-2 critical

The confidentiality, integrity, and availability of data-in-transit are protected

Data Security
pr-ds-3 medium

Data are destroyed according to policy when no longer needed

Data Security
pr-ds-4 critical

Backups of data are created, protected, maintained, and tested

Data Security
pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control