Back

Configure Encryption settings in accordance with organizational standards.


CONTROL ID
07625
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure "Elastic Block Store volume encryption" to organizational standards., CC ID: 15434
  • Configure "Encryption Oracle Remediation" to organizational standards., CC ID: 15366
  • Configure the "encryption provider" to organizational standards., CC ID: 14591
  • Configure the "Microsoft network server: Digitally sign communications (always)" to organizational standards., CC ID: 07626
  • Configure the "Domain member: Digitally encrypt or sign secure channel data (always)" to organizational standards., CC ID: 07657
  • Configure the "Domain member: Digitally sign secure channel data (when possible)" to organizational standards., CC ID: 07678
  • Configure the "Network Security: Configure encryption types allowed for Kerberos" to organizational standards., CC ID: 07799
  • Configure the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to organizational standards., CC ID: 07822
  • Configure the "Configure use of smart cards on fixed data drives" to organizational standards., CC ID: 08361
  • Configure the "Enforce drive encryption type on removable data drives" to organizational standards., CC ID: 08363
  • Configure the "Configure TPM platform validation profile for BIOS-based firmware configurations" to organizational standards., CC ID: 08370
  • Configure the "Configure use of passwords for removable data drives" to organizational standards., CC ID: 08394
  • Configure the "Configure use of hardware-based encryption for removable data drives" to organizational standards., CC ID: 08401
  • Configure the "Require additional authentication at startup" to organizational standards., CC ID: 08422
  • Configure the "Deny write access to fixed drives not protected by BitLocker" to organizational standards., CC ID: 08429
  • Configure the "Configure startup mode" to organizational standards., CC ID: 08430
  • Configure the "Require client MAPI encryption" to organizational standards., CC ID: 08446
  • Configure the "Configure dial plan security" to organizational standards., CC ID: 08453
  • Configure the "Allow access to BitLocker-protected removable data drives from earlier versions of Windows" to organizational standards., CC ID: 08457
  • Configure the "Enforce drive encryption type on fixed data drives" to organizational standards., CC ID: 08460
  • Configure the "Allow Secure Boot for integrity validation" to organizational standards., CC ID: 08461
  • Configure the "Configure use of passwords for operating system drives" to organizational standards., CC ID: 08478
  • Configure the "Choose how BitLocker-protected removable drives can be recovered" to organizational standards., CC ID: 08484
  • Configure the "Validate smart card certificate usage rule compliance" to organizational standards., CC ID: 08492
  • Configure the "Allow enhanced PINs for startup" to organizational standards., CC ID: 08495
  • Configure the "Choose how BitLocker-protected operating system drives can be recovered" to organizational standards., CC ID: 08499
  • Configure the "Allow access to BitLocker-protected fixed data drives from earlier versions of Windows" to organizational standards., CC ID: 08505
  • Configure the "Choose how BitLocker-protected fixed drives can be recovered" to organizational standards., CC ID: 08509
  • Configure the "Configure use of passwords for fixed data drives" to organizational standards., CC ID: 08513
  • Configure the "Choose drive encryption method and cipher strength" to organizational standards., CC ID: 08537
  • Configure the "Choose default folder for recovery password" to organizational standards., CC ID: 08541
  • Configure the "Prevent memory overwrite on restart" to organizational standards., CC ID: 08542
  • Configure the "Deny write access to removable drives not protected by BitLocker" to organizational standards., CC ID: 08549
  • Configure the "opt encrypted" flag to organizational standards., CC ID: 14534
  • Configure the "Provide the unique identifiers for your organization" to organizational standards., CC ID: 08552
  • Configure the "Enable use of BitLocker authentication requiring preboot keyboard input on slates" to organizational standards., CC ID: 08556
  • Configure the "Require encryption on device" to organizational standards., CC ID: 08563
  • Configure the "Enable S/MIME for OWA 2007" to organizational standards., CC ID: 08564
  • Configure the "Control use of BitLocker on removable drives" to organizational standards., CC ID: 08566
  • Configure the "Configure use of hardware-based encryption for fixed data drives" to organizational standards., CC ID: 08568
  • Configure the "Configure use of smart cards on removable data drives" to organizational standards., CC ID: 08570
  • Configure the "Enforce drive encryption type on operating system drives" to organizational standards., CC ID: 08573
  • Configure the "Disallow standard users from changing the PIN or password" to organizational standards., CC ID: 08574
  • Configure the "Use enhanced Boot Configuration Data validation profile" to organizational standards., CC ID: 08578
  • Configure the "Allow network unlock at startup" to organizational standards., CC ID: 08588
  • Configure the "Enable S/MIME for OWA 2010" to organizational standards., CC ID: 08592
  • Configure the "Configure minimum PIN length for startup" to organizational standards., CC ID: 08594
  • Configure the "Configure TPM platform validation profile" to organizational standards., CC ID: 08598
  • Configure the "Configure use of hardware-based encryption for operating system drives" to organizational standards., CC ID: 08601
  • Configure the "Reset platform validation data after BitLocker recovery" to organizational standards., CC ID: 08607
  • Configure the "Configure TPM platform validation profile for native UEFI firmware configurations" to organizational standards., CC ID: 08614
  • Configure the "Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives" setting to organizational standards., CC ID: 10039
  • Configure the "Save BitLocker recovery information to AD DS for fixed data drives" setting to organizational standards., CC ID: 10040
  • Configure the "Omit recovery options from the BitLocker setup wizard" setting to organizational standards., CC ID: 10041
  • Configure the "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" setting to organizational standards., CC ID: 10042
  • Configure the "Save BitLocker recovery information to AD DS for operating system drives" setting to organizational standards., CC ID: 10043
  • Configure the "Allow BitLocker without a compatible TPM" setting to organizational standards., CC ID: 10044
  • Configure the "Do not enable BitLocker until recovery information is stored to AD DS for removable data drives" setting to organizational standards., CC ID: 10045
  • Configure the "Save BitLocker recovery information to AD DS for removable data drives" setting to organizational standards., CC ID: 10046


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Symmetric cryptographic algorithms are not used in Electronic Codebook Mode. (Control: ISM-0479; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Symmetric cryptographic algorithms are not used in Electronic Codebook Mode. (Control: ISM-0479; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Ensure that encryption is enabled for RDS Instances Description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of acc… (2.3.1, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1)
  • Ensure that encryption is enabled for RDS Instances Description: Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of acc… (2.3.1, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • Ensure all S3 buckets employ encryption-at-rest Description: Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. Rationale: Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encry… (2.1.1, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • Ensure system-wide crypto policy is not over-ridden Description: System-wide Crypto policy can be over-ridden or opted out of for openSSH Rationale: Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm R… (5.2.20, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure system-wide crypto policy is not legacy Description: The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies… (1.10, CIS Oracle Linux 8 Benchmark, Server Level 1, v1.0.1)
  • Ensure system-wide crypto policy is not over-ridden Description: System-wide Crypto policy can be over-ridden or opted out of for openSSH Rationale: Over-riding or opting out of the system-wide crypto policy could allow for the use of less secure Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm R… (5.2.20, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure system-wide crypto policy is not legacy Description: The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-policies… (1.10, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Ensure system-wide crypto policy is FUTURE or FIPS Description: The system-wide crypto-policies followed by the crypto core components allow consistently deprecating and disabling algorithms system-wide. The individual policy levels (DEFAULT, LEGACY, FUTURE, and FIPS) are included in the crypto-poli… (1.11, CIS Oracle Linux 8 Benchmark, Server Level 2, v1.0.1)
  • Verify that encryption initialization vector, cipher configuration, and block modes are configured securely using the latest advice. (6.2.3, Application Security Verification Standard 4.0.3, 4.0.3)
  • Enable user authentication and encryption mechanisms for the management interface of the AP. (§ 5.13.1.1 ¶ 2 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)