Data at Rest Security Checklist

Ensure you have secured platform and mobile data that is at rest, either on the corporate LAN or on client devices. Check activities off as you complete them.

Activity Completed?
Set file system permissions on data tier hosts.  
Secured backup artifacts on data tier hosts.  
Encrypted data and log output for the data tier.  
Encrypted data on the device.  
Enabled a data vault for sensitive data.  
Note: It is incumbent on the application developer to retrieve and apply the data vault password policy that it gets from the server during application registration.
For example, in a Windows client using C#:
DataVault vault = null;
// handle first-run initialization - create vault, set password policy
if (!DataVault.VaultExists("myVault"))
{
vault = DataVault.CreateVault("myVault", null, null);
vault.Unlock(null, null);
ApplicationSettings aps = app.ApplicationSettings;

if (aps.IsApplicationSettingsAvailable())
{
bool policyEnabled = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Enabled);
if (policyEnabled)
{
try
{
DataVault.PasswordPolicy oPasswordPolicy = new DataVault.PasswordPolicy();
oPasswordPolicy.defaultPasswordAllowed = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Default_Password_Allowed);
oPasswordPolicy.minimumLength = (int) aps.GetIntegerProperty(ConnectionPropertyType.PwdPolicy_Length);
oPasswordPolicy.hasDigits = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Has_Digits);
oPasswordPolicy.hasUpper = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Has_Upper);
oPasswordPolicy.hasLower = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Has_Lower);
oPasswordPolicy.hasSpecial = (bool) aps.GetBooleanProperty(ConnectionPropertyType.PwdPolicy_Has_Special);
oPasswordPolicy.expirationDays = (int) aps.GetIntegerProperty(ConnectionPropertyType.PwdPolicy_Expires_In_N_Days);
oPasswordPolicy.minUniqueChars = (int) aps.GetIntegerProperty(ConnectionPropertyType.PwdPolicy_Min_Unique_Chars);
oPasswordPolicy.lockTimeout = (int) aps.GetIntegerProperty(ConnectionPropertyType.PwdPolicy_Lock_Timeout);
oPasswordPolicy.retryLimit = (int) aps.GetIntegerProperty(ConnectionPropertyType.PwdPolicy_Retry_Limit);
// SetPasswordPolicy() will always lock the vault to ensure the old password
// conforms to the new password policy settings.
vault.SetPasswordPolicy(oPasswordPolicy);
vault.ChangePassword(null, null, pwd, null);
}
catch (DataVaultException dve)
{
Console.WriteLine("password not good enough? " + dve);
}
}
}
Parent topic: Securing Data at Rest Quick Start