SC-28 (1) - Cryptographic Protection
Control requirements
- SC-28 (1) - 0
- The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [IBM Assignment: confidential customer data] on [IBM Assignment: organization-defined information system components including portable computers, mobile devices, and electronic removable media].
Implementation guidance
See the resources that follow to learn more about how to implement this control.
IBM Cloud for Financial Services profile
The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.
- Check whether OS disks are encrypted with customer-managed keys
- Check whether App ID user data is encrypted
- Check whether Hyper Protect DBaaS for MongoDB is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether unattached disks are encrypted with customer-managed keys
- Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Virtual Servers for VPC is provisioned from an encrypted image
- Check whether Event Streams is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether App ID is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check that Schematics uses KYOK for Key management
- Check whether Block Storage for VPC is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Hyper Protect DBaaS for PostgreSQL is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
- Check whether data disks are encrypted with customer-managed keys
NIST supplemental guidance
Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.