Back

Encrypt information stored on mobile devices.


CONTROL ID
01422
CONTROL TYPE
Data and Information Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain mobile device security guidelines., CC ID: 04723

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm. (Security Control: 0869; Revision: 3, Australian Government Information Security Manual, March 2021)
  • enable encryption, including for any media used (Security Control: 1555; Revision: 0; Bullet 6, Australian Government Information Security Manual, March 2021)
  • enable encryption, including for any removable media (Control: ISM-1555; Revision: 1; Bullet 6, Australian Government Information Security Manual, June 2023)
  • Mobile devices encrypt their internal storage and any removable media. (Control: ISM-0869; Revision: 5, Australian Government Information Security Manual, June 2023)
  • enable encryption, including for any removable media (Control: ISM-1555; Revision: 1; Bullet 6, Australian Government Information Security Manual, September 2023)
  • Mobile devices encrypt their internal storage and any removable media. (Control: ISM-0869; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The organization should encrypt information on mobile devices using at least a DSD Approved Cryptographic Algorithm. (Control: 0869, Australian Government Information Security Manual: Controls)
  • All data on portable computers and personal electronic devices should be encrypted. (§ 3.4.59, Australian Government ICT Security Manual (ACSI 33))
  • Bodies that issue mobile storage and processing medium for personal data or runs automated processing, in part or its entirety, on the medium must notify the data subject of its identity and address, the medium's functioning mode in generally comprehensible terms, the type of personal data being pro… (§ 6c, German Federal Data Protection Act, September 14, 1994)
  • General encryption of mobile data storage devices or the information assets stored thereon: (C, I) (3.1.4 Additional requirements for high protection needs Bullet 1, Information Security Assessment, Version 5.1)
  • App 2 ¶ 15: Laptops that store information generated or supplied as a consequence of the contract must have, at a minimum, a FIPS 140-2 approved full disk encryption solution installed. This is applicable to UK contractors. App 6 ¶ 16: Laptops that store information generated or supplied as a cons… (App 2 ¶ 15, App 6 ¶ 16, The Contractual process, Version 5.0 October 2010)
  • Secure handheld devices with strong passwords and always encrypt PSKs if cached locally. (4.1.1 D, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Merchants should consider using full disk encryption on mobile devices, if available. This provides additional protection in the event of theft or loss of the device and may also prevent users from disabling device-level authentication. (¶ 5.2.4, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Laptops should be required to encrypt all sensitive files. The encryption software should include a recovery key. (Pg 12-I-23, Protection of Assets Manual, ASIS International)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by storing sensitive information on an approved encrypted portable storage device, which is kept with the individual (to help ensure the information is protected when the mobile device is un… (CF.14.01.07c, The Standard of Good Practice for Information Security)
  • Standards / procedures should include encryption of sensitive information stored on portable storage devices. (CF.14.04.02d, The Standard of Good Practice for Information Security)
  • Portable storage devices should be protected by the use of encryption techniques (e.g., using encryption software installed on the device, or using file-encryption software on the computing device to which the portable storage device connects). (CF.14.04.03c, The Standard of Good Practice for Information Security)
  • Staff traveling to 'high-risk' countries or regions should protect sensitive information from targeted attack by storing sensitive information on an approved encrypted portable storage device, which is kept with the individual (to help ensure the information is protected when the mobile device is un… (CF.14.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Mobile devices (including laptops and consumer devices) should be supported by documented standards / procedures, which cover use of encryption to protect sensitive information. (CF.14.02.01d, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should include encryption of sensitive information stored on portable storage devices. (CF.14.04.02c, The Standard of Good Practice for Information Security, 2013)
  • Portable storage devices should be protected by the use of encryption techniques (e.g., using encryption software installed on the device, or using file-encryption software on the computing device to which the portable storage device connects). (CF.14.04.04c, The Standard of Good Practice for Information Security, 2013)
  • Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data. (Control 13.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should encrypt the hard drives of mobile computers that contain sensitive data. (Critical Control 17.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The mobile device policy shall require the use of encryption either for the entire device or for data identified as sensitive on all mobile devices and shall be enforced through technology controls. (MOS-11, Cloud Controls Matrix, v3.0)
  • Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. (CIS Control 13: Sub-Control 13.6 Encrypt Mobile Device Data, CIS Controls, 7.1)
  • Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices. (CIS Control 13: Sub-Control 13.6 Encrypt the Hard Drive of All Mobile Devices, CIS Controls, V7)
  • Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. (§ A.10.5 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Portable physical media and portable devices that do not permit encryption should not be used except where it is unavoidable, and any use of such portable media and devices should be documented. (§ A.11.5 ¶ 2, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should encrypt personal information that is stored or accessed from mobile devices or portable media. (Table Ref 8.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets. (CC6.7 Protects Mobile Devices, Trust Services Criteria)
  • Processes are in place to protect mobile devices (such as laptops, smart phones, and tablets) that serve as information assets. (CC6.7 ¶ 2 Bullet 4 Protects Mobile Devices, Trust Services Criteria, (includes March 2020 updates))
  • Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media; (Section 4.D ¶ 1(2)(d), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • When desktop computers are used to transmit scoped systems and data, is encryption used to secure mobile computing devices? (§ G.22.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is encryption used to secure mobile computing devices? (§ G.22.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is encryption used to secure mobile computing devices? (§ G.22.14, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Laptop computers should be accredited by the DAA. The accreditation should include approved processing locations, authorized connectivity, and whether or not classified and/or unclassified-sensitive data can be processed on the computer. If the laptop has a non-removable hard drive that is used to s… (§ 2-27, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.13.7: Only approved portable computing or portable network devices may be connected to the CMS claims processing network. The organization must use either removable hard drives and/or a FIPS-approved method of cryptography to protect information on mobile and portable information systems. CSR … (CSR 1.13.7, CSR 2.2.24, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Remote users must encrypt sensitive government files, folders, and storage devices on mobile client devices and remote client devices with a Federal Information Processing Standards 140-2 validated cryptographic module using a National Institute of Standards and Technology approved encryption algori… (§ 3.4.2.1 ¶ AC34.060, DISA Access Control STIG, Version 2, Release 3)
  • Diskettes and removable hard drives should be kept separate from the laptop, if possible. A Type 1 media encryptor must be used to protect removable media. (§ 3.3, § 6.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The wireless e-mail system administrator (SA) sends a "Wipe" or "Kill" command to the Wireless e-mail handheld device and removes the device from the wireless e-mail management server when a wireless e-mail device is reported lost or stolen. If a wireless e-mail device is lost or stolen, the device … (§ 2.2 (WIR1090), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • Wireless e-mail devices that are reported as lost or stolen should be removed from the wireless e-mail management server; it should be immediately disabled; and, once the device is deemed unrecoverable, be permanently removed from the wireless e-mail management server, and the service provider shoul… (§ 2.2 (WIR3090), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • Wireless e-mail devices that are reported as lost or stolen should be removed from the wireless e-mail management server; a "Wipe" or "Kill" command should be sent to the device. If a wireless e-mail device is known to be lost or stolen, it should be immediately disabled; and, once the device is dee… (§ 2.2 (WIR2090), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Encrypt CUI on mobile devices and mobile computing platforms. (AC.3.022, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Encrypt CUI on mobile devices and mobile computing platforms. (AC.3.022, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Encrypt CUI on mobile devices and mobile computing platforms. (AC.3.022, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Encrypt CUI on mobile devices and mobile computing platforms. (AC.L2-3.1.19 Encrypt CUI on Mobile, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Encrypt all CJI resident on the device. (§ 5.13.3 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Enforcement of folder or disk level encryption (§ 5.13.2 ¶ 3 2.e., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 14, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Portable computers containing sensitive information should be protected appropriately. (Pg 13, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Removable media that contains Federal Tax Information (FTI) should be locked up when not in use. When in use, FTI should be in a secure area under the control of an authorized individual. Mobile devices and computers located at alternate work sites that contain FTI must be encrypted to prevent data … (§ 4.6, § 4.7.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records, documents, and portable and mobile devices should be examined to ensure removable hard drives or cryptography is used to protect stored information on these devices. Interviews should be conducted with personnel who use portable or mobile devices to determine if removable ha… (AC-19(1), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should provide all users with measures they can take to protect handheld Bluetooth devices from theft. When a Bluetooth device is stolen or lost, the user should immediately unpair the device from all other Bluetooth devices with which it is paired. (Table 4-2 Item 5, Table 4-2 Item 26, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Mobile handheld devices should be strictly controlled at all times and should be securely stored when left unattended. Organization cell phones should not be lent to another person, because he/she could change the configuration, make toll calls, or make threatening calls that will be traced back to … (§ 4.1.1, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Encrypt CUI on mobile devices. (3.1.19, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Encrypt CUI on mobile devices and mobile computing platforms. (3.1.19, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Encrypt CUI on mobile devices and mobile computing platforms. (3.1.19, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should use cryptographic mechanisms to protect and restrict access to information on portable digital media. (App F § MP-2(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs {full-device encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {container encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs {full-device encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs {container encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs {full-device encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs {container encryption} to protect the confidentiality and integrity of information on {organizationally documented mobile devices}. (AC-19(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on any laptop computer or other portable computing or storage device or media. (Section 27-62-4(d)(2) d., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Pay particular attention to protecting notice-triggering personal information on laptops and other portable computers and storage devices. (Part I ¶ 5, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • encryption of all personal information stored on a laptop computer or other portable device, (§ 38a-999b(b)(2)(B)(iv), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Protection, by encryption or other appropriate means, of all nonpublic information while such information is transmitted over an external network or stored on a laptop computer or other portable computing or storage device or medium; (Part VI(c)(4)(B)(iv), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Protect by encryption or other appropriate means all nonpublic information while the nonpublic information is transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§ 8604.(d)(2) d., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§431:3B-203(2)(D), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Protecting by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (Sec. 18.(2)(D), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Protect by encryption or other appropriate means, all nonpublic information while the nonpublic information is transmitted over an external network, and all nonpublic information that is stored on a laptop computer, a portable computing or storage device, or portable computing or storage media. (507F.4 4.b.(4), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Protect by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§2504.D.(2)(d), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Protect, by encryption or other appropriate means, all nonpublic information while it is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§2264 4.B.(4), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(5), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • Protecting by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (Sec. 555.(4)(b)(iv), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 60A.9851 Subdivision 4(2)(iv), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 83-5-807 (4)(b)(iv), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§ 420-P:4 IV.(b)(4), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (26.1-02.2-03. 4.b.(4), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (Section 3965.02 (D)(2)(d), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • protecting by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (SECTION 38-99-20. (D)(2)(d), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Protect by encryption or other appropriate means nonpublic information being transmitted over an external network and nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 56-2-1004 (4)(B)(iv), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. (AC-19(5) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Protect, by encryption or other means, nonpublic information being transmitted over an external network and nonpublic information stored on a portable computer or storage device or media. (§ 601.952(3)(b)4., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)