SC-28 - Protection of Information at Rest
Control requirements
- SC-28 - 0
- The information system protects the [IBM Assignment: confidentiality AND integrity] of [IBM Assignment: data in all regions and availability zones].
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether OS disks are encrypted with customer-managed keys
- Check whether App ID user data is encrypted
- Check whether Hyper Protect DBaaS for MongoDB is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether unattached disks are encrypted with customer-managed keys
- Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Virtual Servers for VPC is provisioned from an encrypted image
- Check whether Event Streams is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether App ID is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check that Schematics uses KYOK for Key management
- Check whether Block Storage for VPC is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Hyper Protect DBaaS for PostgreSQL is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether data disks are encrypted with customer-managed keys
NIST supplemental guidance
This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest.