The document discusses data encryption and protection of information at rest. It provides examples of how an agency can encrypt hard drives using Symantec and EMC encryption solutions to protect data on user endpoints and in data centers. The agency can also encrypt virtual machines to prevent theft. Additionally, the agency can store data offline in a secure facility with physical security measures like armed guards to protect information at rest. Data encryption helps limit security breaches and protects sensitive data from unauthorized access in compliance with regulations.
4. SC Control family -System & Communications
Protection. It has 44 total controls
5.
6.
7. The information system:
a. Terminates the network connection associated with a
communications session at the end of the session or
after x hours of inactivity; and
b. Terminates the remote access connection associated
with a communications session at the end of the session
or after x minutes of inactivity.
Note: Where x is determined by each agency ISSO
8. SC-10 security control is usually inherited from
General Support System (GSS) at a federal agency. The
agency’s VPN, switches and network end point
devices, are configured to drop network connections
when user sessions end or terminate or when new
security updates/patches are applied.
Agency internal Cisco VPN, servers and in-house
major applications (MA) are configured to drop
network connections when user sessions end or
terminate.
9. A. The information system protects the confidentiality;
and integrity of information at rest.
B. The information system provides cryptographic
protection of information at rest
10.
11.
12.
13. The information system protects the confidentiality
and integrity of information at rest.
1. Protection of information at rest with cryptographic
protection
2. Protection of information at rest with off-line storage
14. A. Agency could use hard disk encryption for both its users
and the data centers hard drives. For example use Symantec
hard drive encryption for user population end points. Use
EMC Data Encryption at Rest (DARE) in VNX arrays in the
data center. EMC provides sophisticated key management
system for their DARE storage systems.
Agency has ability to encrypt Virtual Machines (VM) used
in data centers (VCE Vblocks). This prevents insiders from
stealing a VM on a USB drive and start using it.
B. Agency can protect data by storing at a secure offline
facility protected by adequate physical security i.e. armed
guards and timed biometric access.
Note: For IT Systems in the cloud FedRamp SC-28 is the responsibility of the cloud service provider.
15. It is used to protect sensitive data from unauthorized access and is a
NIST requirement.
It limits exposure to security breaches, so even if someone is able to
access the storage media, the data is still protected to prevent
unauthorized access to sensitive information.
Data encryption is also a key way to protect data in transit, including
both the electronic and physical movement of data for backup, disaster
recovery, and/or maintenance.
Finally, data encryption helps address compliance with government
and industry regulations such as FISMA, PCI, Sarbanes-Oxley, SB 1386,
HIPAA, U.K.’s DPA, Directive 95/46/EC, as well as internal security
mandates.