>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CRY-05Encryption of Data in Transit

>Control Description

Organization restricted data that is transmitted over public networks is encrypted.

Theme

Technology

Type

Preventive

Policy/Standard

Cryptographic Management Policy

>Implementation Guidance

1. Ensure that Organization's Data Classification and Handling Standard and Data Encryption Standard includes requirements for encrypting data at rest. 2. Ensure that the data sent in transit is encrypted by performing the following: a. Latest TLS version and cipher suites usage over browser. b. Use valid digital certificates by the endpoint. c. Period check by running a Qualys provided SSL labs feature that scans and endpoint and enumerates all ciphers and TLS versions permitted on an end point 3. If the service does not have public facing endpoints, ensure that the configuration of the load balancer and corresponding Security group with details of TLS versions allows and cipher suites allowed. 4. Ensure that the expired SSL certificates are identified and remediated.

>Testing Procedure

1. Inspect Organization's Data Classification and Handling Standard and Data Encryption Standard to determine whether requirements for encrypting data at rest were defined. 2. Obtain the list of all public facing endpoints for the service. Inspect each public facing endpoint to determine if data sent in transit is encrypted by performing the following: a. Inspecting the TLS version and cipher suites being used over browser. b. Inspecting the validity of the digital certificates being used by the endpoint. c. Running a Qualys provided SSL labs feature that scans and endpoint and enumerates all ciphers and TLS versions permitted on an end point 3. If the service does not have public facing endpoints, obtain configuration of the load balancer and corresponding Security group with details of TLS versions allows and cipher suites allowed. 4. Obtain the list of expired SSL certificates and validate whether. tracking and remediation of the expired SSL were performed.

>Audit Artifacts

E-CRY-06
E-CRY-07
E-CRY-08
E-CRY-09
E-CRY-10
E-CRY-11
E-CRY-12
E-CRY-13

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

NIST CSF
2

PR.DS-2
PR.DS-5

CIS Controls
1

3.1

FedRAMP Rev 5
2

IA-05 (01)
IA-07

PCI DSS
1

4.2

HIPAA Security Rule
6

164.312(a)(2)(i)
164.312(a)(2)(iv)
164.312(c)(1)
164.312(e)(1)
164.312(e)(2)(i)
164.312(e)(2)(ii)

SOC 2
2

CC6.1
CC6.7

BSI C5
5

COS-08
CRY-01
CRY-02
OPS-14
PI-01

TX-RAMP
2

IA-5(1)
IA-7

Ask AI

Configure your API key to use AI features.