Data must be encrypted when transmitted across networks to protect against eavesdropping on network traffic by unauthorised users.
In cases where the source and target endpoint devices are within the same protected subnet, covered data transmission should still be encrypted as recommended below due to the potential for a high negative impact of a covered data breach. The types of transmission may include client-to-server and server-to-server communication, as well as any data transfer between core systems and third-party systems. Industry standards shall be used.
Data encryption at rest, stored in a database or file on a disk, should be used when the storage device supports built-in encryption. If no built-in support is available, consider the risk level of the data, and implement encryption if the risk level requires it. AES-256 or AES-128 should be used. If the encrypted data is sensitive or should be kept secure for a long time, AES-256 should be used.
