All stored sensitive information must be encrypted.
Systems usually store personal data, i.e., Personally Identifiable Information (PII), medical records, credentials and other types of sensitive information. All of these must be encrypted before being stored using safe cryptographic mechanisms. This is also applicable when personal information must be temporarily stored in the client-side storage. The encryption prevents unauthorized actors that may have accessed the storage system from obtaining the information.
CIS Controls. 14.9 Encrypt Sensitive Information at Rest. Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.
CWE-311: Missing Encryption of Sensitive Data. The software does not encrypt sensitive or critical information before storage or transmission.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
GDPR. Art. 32: Security of processing.(1)(a). The controller and the processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security, including the pseudonymization and encryption of personal data.
GDPR. Recital 45: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
ISO 27001:2013. Annex A - 18.1.3 Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
NERC CIP-011-2. B. Requirements and measures. R1.2 Implement procedure(s)for protecting and securely handling BES Cyber System Information, including storage, transit, and use.
OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.6) Verify that sensitive data, private keys and certificates are stored securely in a Secure Element, TPM, TEE (Trusted Execution Environment), or protected using strong cryptography.
OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.1) Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU’s GDPR.
OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.2) Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records.
OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.3) Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.7) Verify that sensitive or private information that is required to be encrypted, is encrypted using approved algorithms that provide both confidentiality and integrity.
PCI DSS v3.2.1 - Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
PCI DSS v3.2.1 - Requirement 3.4 Render PAN (Primary Account Number) unreadable anywhere it is stored (including on portable digital media, backup media, and in logs).
PCI DSS v3.2.1 - Requirement 3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
PCI DSS v3.2.1 - Requirement 6.5.3 Address common coding vulnerabilities in software-development processes such as insecure cryptographic storage.
PCI DSS v3.2.1 - Requirement 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.