V-213706

Discussion

This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. User data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. If the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.

Check Content

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.

To protect the confidentiality and integrity of information at rest, the database must be encrypted. DB2 native encryption can encrypt the data at rest; or third-party tools, like IBM Guardium, can provide encryption for data at rest.
 
To find if a database is encrypted with DB2 native encryption, run the following SQL Query:
DB2> SELECT SUBSTR(OBJECT_NAME,1,8) AS NAME, SUBSTR(ALGORITHM,1,8) ALGORITHM 
           FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO()) 
           WHERE OBJECT_TYPE='DATABASE'

If the value of Algorithm is NULL for the database, this is a finding. 

If the database is not encrypted with native encryption or any third-party tool, this is a finding.