Encrypted Storage for Sensitive Data

CyberSecure Canada Section 6.1.3.2(c) explicitly requires organizations to ensure that all mobile devices store sensitive information in a secure, encrypted state. This prevents unauthorized data access if the device is lost or stolen.

Mobile device encryption scrambles the data stored on a smartphone or tablet so it cannot be read without the correct PIN, password, or biometric key. It is required to protect sensitive data from exposure during device theft or loss, acting as a critical fail-safe for confidentiality.

Sensitive information includes personally identifiable information (PII), financial records, employee records, proprietary intellectual property, and internal business communications. Any data that could cause injury to the organization or its clients if disclosed must be encrypted.

Organizations can enforce encryption by deploying an MDM or EMM solution like Microsoft Intune or Jamf. These platforms allow administrators to push compliance policies that mandate device passcodes, which natively enables hardware encryption on modern iOS and Android devices. To stay audit-ready, tools like WatchDog Security's Compliance Center can store MDM compliance reports and tie them back to CSC-06-009 during reviews.

For compliance purposes, administrators can verify iOS encryption via their MDM dashboard, looking for the Data Protection status. Locally on the device, ensuring a passcode is set in the Face ID & Passcode or Touch ID & Passcode settings confirms that encryption is active.

Android device encryption can be verified through an MDM compliance report checking for Encryption at Rest status. On the device itself, users can check the Security or Encryption & credentials settings menu to confirm the device is encrypted.

Full-disk encryption or file-based encryption on modern mobile operating systems generally satisfies the baseline encrypted storage requirement. However, organizations may also use app-level encryption or secure containers like Android Work Profile for stronger separation of corporate and personal data on BYOD devices.

Industry best practices recommend using the Advanced Encryption Standard (AES) with 128-bit or 256-bit keys for data-at-rest. When applicable, organizations should use FIPS 140-validated encryption modules to ensure the cryptographic algorithms meet rigorous security standards.

Auditors look for MDM or EMM compliance reports showing that encryption is universally enforced across all enrolled mobile devices. Additional evidence includes documented security policies requiring encryption and screenshots of configuration profiles enforcing passcodes and data protection. Tools like WatchDog Security's Compliance Center can help automate evidence collection workflows and maintain an audit trail for CSC-06-009.

Organizations must trigger their incident response plan immediately upon learning of a lost or stolen device. The device should be remotely wiped via the MDM platform to destroy the encrypted data, and the event must be logged to determine if a formal data breach reporting procedure is necessary.

Encryption is often enforced in MDM/EMM tools, but audits fail when evidence is scattered or outdated. Tools like WatchDog Security's Compliance Center can centralize MDM compliance exports, screenshots, and policy attestations, and map them directly to CSC-06-009 with an auditable trail.

A clear policy defines which devices are in scope, what “sensitive data” includes, and what happens when a device is noncompliant. Tools like WatchDog Security's Policy Management can manage version control, approvals, and acceptance tracking so teams can prove the requirement is communicated and enforced.