Is your data encrypted at rest? Is your data encrypted in a database, at the file level, or at the hardware (disk) level?

encryption at rest

Encryption at rest ensures that data is encrypted when it is written to a storage medium.  Hard drives or volumes on virtualized storage must be encrypted, and backup tapes also need to be encrypted. It is important to encrypt all removable media, including hard drives and USB sticks.

Why are they asking this?

Encryption of the data at rest ensures that if the drives or tapes were stolen or lost, that the data would not be accessible to whomever is in possession of storage media.

What do they expect?

Organizations dealing with highly sensitive data will require all data stored on non-volatile storage, hard drives, solid state drives, USB drives/sticks, network attached storage, or other such devices needs to be encrypted.  

Most organizations will require devices such as laptops, external hard drives, and USB sticks to be encrypted, as these are the most often lost or stolen devices. 

Additionally, if backup tapes are stored off site, or transported to a different site within the organization, these are also vulnerable to loss or theft and should be encrypted.

hardware security modules

Hardware security modules (HSM) are network devices that store and generate cryptographic keys for use by applications on the network. An HSM is a highly secure device that uses standard protocols to ensure that the request is authenticated, and the key is transmitted securely.  An HSM uses hardware to generate, store, and protect all the keys, this hardware is tamper resistant and will destroy the information before allowing a physical attack to succeed.

Why are they asking this?

HSM provides the highest level of protection for cryptographic keys. If these keys were compromised, many other security controls would be negated. With these keys, an attacker could decrypt all the data protected by encryption. They want to ensure that the keys are protected to the highest level possible.

What do they expect?

They expect that an HSM is used to protect the cryptographic keys used in the environment.  It is expected that the HSM is configured in a high availability configuration to ensure that the keys, and thus access, to their data is not lost in the event of a hardware failure of an HSM.  The HSM needs to be configured properly to meet encryption standards and to allow access only to hosts that require use of the keys