Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.
Specification
Encryption can take place at the application, database, file system or entire disk level. The latter, Full Disk Encryption, is the preferred method of encrypting data-at-rest.
Based on the classification of the data, determine the requirements for data encryption.
Endpoints should support Intel® AES-NI technology, UEFI and GPT platforms.
Decryption keys can only persist on endpoints in the TPM (Trusted Platform Modules).
Data on unmanaged devices must be stored encrypted. It is recommended that this occurs in encrypted containers managed by the organisation and that users are not responsible for encrypting the unmanaged devices themselves. Note also the requirements surrounding key management.
Chosen cryptographic modules used must be validated by the NIST with an ‘active’ status: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Symmetric encryption for data-at-rest when using a block cipher must use an approved cipher and corresponding approved modes of operation according to NIST: https://csrc.nist.gov/projects/block-cipher-techniques
ISO 27001 & 27002:2022
A5.10,
A5.14,
A5.33,
A5.34,
A7.7,
A7.10,
A8.26,
A8.33
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
DM.03 Beveiligingseisen voor Datamanagement
SM.10 Cryptographic Key Management