CIS Controls 3.11: Encrypt Sensitive Data at Rest
Data encryption at rest is your last line of defense if unauthorized users gain physical or logical access to your infrastructure. CIS Controls 3.11 requires encrypting sensitive data stored on servers, applications, and databases—a foundational protection that prevents breach exposure even when perimeter security fails. Understanding and implementing this control is essential for protecting customer data and meeting compliance obligations.
What this means
CIS 3.11 mandates encryption of all sensitive data stored at rest across your organization's infrastructure. Storage-layer encryption (server-side encryption) meets the minimum requirement, meaning data must be encrypted before it's written to disk. This includes databases, file servers, cloud storage, backup systems, and any other repositories containing sensitive information like PII, financial records, or authentication credentials.
How to comply
- 1.Inventory all systems storing sensitive data: servers, databases, applications, and backup storage
- 2.Enable storage-layer or server-side encryption on all identified systems
- 3.Use strong encryption algorithms (AES-256 minimum) approved by your regulatory framework
- 4.Implement encryption key management with secure key storage and rotation policies
- 5.Encrypt backups and archived data with the same standards as live systems
- 6.Document encryption configurations, algorithms, and key management procedures
- 7.Test decryption processes regularly to ensure data can be recovered when needed
- 8.Monitor and audit encryption status across all systems continuously
Evidence auditors look for
- Encryption configuration reports from databases, servers, and cloud storage platforms
- Key management system documentation showing key creation, rotation, and storage procedures
- Backup and archival encryption verification logs
- System configuration screenshots showing encryption enabled at storage layer
- Encryption audit reports from cloud providers or infrastructure platforms
- Incident response tests demonstrating successful data recovery from encrypted backups
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates encryption discovery and validation across your servers and databases, tracks encryption key rotation schedules, and generates real-time compliance reports showing which systems meet CIS 3.11 requirements—eliminating manual inventory checks and audit preparation.
See how GRCWatch handles this control automatically
Start free trial