REQ.185 Encrypt sensitive information
All stored sensitive information must be encrypted.
Systems usually store personal data, credentials and other types of sensitive information. All of these must be encrypted before being stored using safe cryptographic mechanisms. Doing so prevents unauthorized actors that may have accessed the storage system from obtaining the information.
GDPR. Recital 45: Protecting sensitive personal data. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
GDPR. Art. 32: Security of processing.(1)(a). The controller and the processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security, including the pseudonymisation and encryption of personal data.