DS-03 Data Security & Protection

Encryption at Rest

Stored sensitive/PII/crypto data is protected.

Domain: Data Security & Protection
Control type: Preventive
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS TRM – Data; PDPA

What good looks like

Sensitive data encrypted at rest using managed keys (KMS/CMEK).

Risk if it fails

Data exposure on storage compromise.

How Tess tests it

3 tests — each concludes only on cited evidence.

Encryption-at-rest standard defined

Design

Procedure: Inspect the standard.
Expected: Required for sensitive data.
Sample: 1 (design inspection)
Evidence: KMS config, storage encryption settings.

Stores encrypted (DB/buckets/disks)

Operating

Procedure: Inspect store configuration.
Expected: Encryption enabled (default or CMEK).
Sample: 25 (or full config inspection)
Evidence: KMS config, storage encryption settings.

Keys managed appropriately

Operating

Procedure: Inspect key management.
Expected: Managed and access-controlled.
Sample: 25 (or full config inspection)
Evidence: KMS config, storage encryption settings.

Evidence Tess looks for

KMS config, storage encryption settings.

More in Data Security & Protection

DS-01 Data Classification & Handling DS-02 Network Security / Firewall DS-04 Encryption in Transit DS-05 Cryptographic Key Management

Want Tess to test DS-03 against your evidence?