SC-13(3) — Individuals Without Formal Access Approvals

When individuals without formal access approvals need to handle encrypted data (like IT support staff), ensure the encryption prevents them from accessing the data content while still allowing them to perform their support tasks.

Example 1: Use BitLocker with TPM+PIN so IT support staff can troubleshoot hardware issues and reimage machines without ever seeing the encrypted data on the drive. The encryption key is bound to the TPM and the authorized user's PIN — IT staff do not have the PIN.

Example 2: For database support, use column-level encryption with Always Encrypted in SQL Server. Database administrators can manage the database schema, perform backups, and tune performance without ever seeing the plaintext values in encrypted columns.