DATA-6 Data In-Transit Encryption

What is DATA-6 Data In-Transit Encryption Control?

Data in Transit Encryption refers to the process of encrypting data while it is being transferred between systems, networks, or devices. This control is about ensuring that data remains secure and unreadable to unauthorized parties while it is moving from one location to another, thereby protecting it from interception or eavesdropping.

Available tools in the marketplace

Tools

Any SSL/TLS Protocols tools: Used for securing internet communications. Any VPN Services tools: Provide encrypted tunnels for secure data transfer. Any Email Encryption Tools: Secure email communications. Cloud Service Providers: Offer built-in encryption for data in transit. Any Network Encryption Tools: Encrypt data on corporate networks.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• Encryption best practices from NIST

Control implementation

NOTE: This control is 100% automated by TrustCloud. Connect your system to enjoy the benefits of automation.

To implement this control manually, 

Start by assessing data flow and understanding how and where data moves in your organization. Then, choose the right tools by selecting appropriate encryption tools based on data type and transfer methods. Configure the encryption by setting up and configuring the chosen encryption tools. Finally, train your staff by educating them on secure data handling practices.

What evidence do auditors look for?

Auditors could request any of the following:

• Encryption Policies and Procedures: Documentation outlining the organization’s encryption practices.
• Configuration Records: Proof of encryption configurations and settings.
• Logs and Monitoring Records: Evidence of ongoing monitoring and logging of data transfers.

However, most auditors, at a minimum, are looking for the below-suggested action:

1. Provide a screenshot of the configuration settings showing that data in transit encryption is enabled.

Evidence example

From the suggested action above, an example is provided below.

1. Provide configuration of data in transit encryption
   An example of a configuration for data in transit encryption is setting up a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for a web server.
   Apache server configuration example showing the path to the certificate and key:
   
   1. SSLEngine on
   2. SSLCertificateFile /path/to/your_certificate.crt
   3. SSLCertificateKeyFile /path/to/your_private.key
   4. SSLCertificateChainFile /path/to/CA_bundle.crt

Redirect rule showing HTTP traffic routed to HTTPS:

1. 1. RewriteEngine On
   2. RewriteCond %{HTTPS} off
   3. RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]