← Controls / SC

SC-28 Protection of Information at Rest

System and Communications Protection

Moderate High

Description

Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Supplemental Guidance

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information.

Changes from Rev 4

No significant changes from Rev 4.

MITRE ATT&CK Techniques (42)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 4 Persistence 4 Privilege Escalation 4 Defense Evasion 7 Credential Access 14 Lateral Movement 1 Collection 11 Exfiltration 7 Impact 3
Show all 42 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.7.9A.8.1A.8.24

ISO 27002:2022

6.77.98.18.118.24

COBIT 2019

APO14

CIS Controls v8

CIS 11.3CIS 3CIS 3.11CIS 3.6CIS 3.9CIS 4

NIST CSF 2.0

PR.DS-01

PCI DSS v4.0.1

3.13.33.5

CSA CCM v4

CEK-03DSP-07DSP-17UEM-08

CSA AICM v1

CEK-03DSP-07DSP-17UEM-08

FINOS CCC

CCC-C02

IEC 62443

3-3 SR 4.1

NIS2 Directive

Art. 21(2)(h)

PRA Operational Resilience

SS2/21-11.1

MAS TRM

1015

APRA CPS 234

Para 22-23

BSI IT-Grundschutz

CON.1CON.7OPS.1.2.4SYS.2.1

ANSSI

Hygiene.19

EU GDPR

Art.32(1)(a)Art.5(1)(f)Rec.83

EU DORA

Art.9(3)

BIO2

6.77.98.18.118.24

RBI CSF

Annex1.15ITGRCA.16

FISC Security Guidelines

FISC.T4FISC.T5

LGPD + BCB 4893

BCB.Art.3LGPD.Art.11LGPD.Art.46

HKMA TM-E-1

TME1.10.2TME1.10.3TME1.11.2TME1.12.4TME1.9.1TME1.9.2

MLPS 2.0

8.1.4.78.1.4.88.2

DNB Good Practice

DNB.12.3

EU CRA

CRA.I.2bCRA.I.2e

SWIFT CSCF

SWIFT.1.3SWIFT.2.5ASWIFT.5.4SWIFT.6.3

SAMA CSF

3.44.3

NCA ECC

2-32-62-72-84-2

UAE IA

T4T8

CBB TM

TM-9

Qatar NIA

CS

CBUAE

CR-5CR-8

CBE CSF

CTO-2CTO-3

SA JS2

JS2-8.2JS2-8.3

CBN CSF

Part3.3Part3.4

BoG CISD

CISD-VCISD-VICISD-XII

POPIA

s19

BoM CTRM

3.103.123.4

IOSCO Cyber Resilience

PROT-3

BCBS 239

Principle 2Principle 3

CPMI-IOSCO PFMI

CG.PRPFMI.P17

FFIEC IS

II.C.13II.C.13(a)II.C.18II.C.19

NYDFS 500

500.15

HIPAA Security Rule

§164.310(c)§164.310(d)(2)(iv)§164.312(a)(1)§164.312(a)(2)(iv)§164.312(c)(1)§164.312(c)(2)

ECB CROE

CROE.2.2.2CROE.2.3.3

EBA ICT Guidelines

3.4.4

SEBI CSCRF

DATALOCPR.CSPR.DS

BOT Cyber Resilience

Ch2.3Ch2.7

CMMC 2.0

MPSC

NERC CIP

CIP-011-3

10 CFR 73.54

73.54(c)(1)RG5.71-A-SC

API 1164

Sec 8

PCI PTS v6

C

FIPS 140-3

FIPS 140-3 §7.8FIPS 140-3 §7.9

CBEST

CBEST.9

TIBER-EU

TIBER.CONF

Common Criteria

CC Part 2 — FCS

ISAE 3402

Clause 4

Solvency II

Art.49(3)DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.7

NAIC Insurance Data Security

4-encryption4B

PRA SS1/23

P-IT.3

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.d09.f10.c13.e

FDA 21 CFR Part 11

§11.10(b)§11.10(c)§11.70

FDA Cybersecurity Guidance

SA-2SA-4

ISO 27799

10.112.36.3H.4

NHS DSPT

NDG-1.1NDG-9.6NDG-9.7

OWASP MASVS v2.1

MASVS-STORAGE-1MASVS-STORAGE-2

CCSS v9.0

1.01.11.01.41.03.11.03.61.05.5

MiCA

Art.40(1)Art.55(1)Art.63(1)Art.67(1)Art.62(9)Art.97(1)Art.98(1)

BSSC Standards

GSP-09GSP-13

SEC Custody (Digital Assets)

SEC-CD-08