V-204771

Discussion

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Application servers generate information throughout the course of their use, most notably, log data. If the data is not encrypted while at rest, the data used later for forensic investigation cannot be guaranteed to be unchanged and cannot be used for prosecution of an attacker. To accomplish a credible investigation and prosecution, the data integrity and information confidentiality must be guaranteed. Application servers must provide the capability to protect all data, especially log data, so as to ensure confidentiality and integrity.

Check Content

Review the application server configuration to ensure the system is protecting the confidentiality and integrity of all application server data at rest when stored off-line.

If the application server is not configured to protect all application server data at rest when stored off-line, this is a finding.