| Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. |
If the documentation indicates no information requires such protections, this is not a finding.
Review the configuration of the DBMS, operating system/file system, and additional software as relevant.
If any of the information defined as requiring protection is not encrypted in a manner that provides the required level of protection and is not physically secured to the required level, this is a finding.