3.10
IG2 IG3

Encrypt Sensitive Data in Transit

Control Group: 3. Data Protection
Asset Type: Data
Security Function: Protect

Description

Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

Implementation Checklist

1
Assess current protection controls in place
2
Configure and deploy required security controls
3
Test control effectiveness in non-production environment
4
Deploy to production and verify functionality
5
Document configuration and operational procedures
6
Identify all data requiring encryption
7
Select approved encryption algorithms and key lengths (AES-256)
8
Deploy encryption solution and verify data protection
9
Establish key management procedures

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)
Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license
Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Man-in-the-Middle Interception of Sensitive Data

Confidentiality

Attackers on the network path intercept unencrypted sensitive data in transit via ARP spoofing, DNS hijacking, or compromised network equipment, capturing credentials and business data.

Credential Harvesting via Unencrypted Protocols

Confidentiality

Authentication credentials transmitted over unencrypted protocols like HTTP, FTP, or Telnet are captured by network sniffers, enabling account takeover attacks.

Data Manipulation in Transit

Integrity

Without transit encryption, attackers modify data in flight between systems, injecting malicious content or altering financial transactions without detection.

Vulnerabilities (When Safeguard Absent)

Sensitive Data Transmitted in Cleartext

Without enforced encryption for data in transit, sensitive information including credentials, PII, and financial data traverses networks in readable plaintext.

No Enforcement of Encrypted Protocols

Systems and applications allow fallback to unencrypted protocols, enabling downgrade attacks and unintentional cleartext transmission of sensitive data.

Evidence Requirements

Type Evidence Item Collection Frequency
Technical Configuration screenshots or exports showing protection controls enabled Captured quarterly
Document Procedure documentation for protection measures Reviewed annually
Technical Encryption configuration evidence (disk encryption status, TLS settings) Scanned monthly
Document Key management procedures and key rotation records Reviewed annually
Document Governing policy document (current, approved, communicated) Reviewed annually

Related Policy Templates

Encryption Policy
Control 3
Acceptable Encryption Standards
Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
3.3 Configure Data Access Control Lists
3.4 Enforce Data Retention
3.5 Securely Dispose of Data
3.6 Encrypt Data on End>User Devices
3.7 Establish and Maintain a Data Classification Scheme
3.8 Document Data Flows
3.9 Encrypt Data on Removable Media
3.11 Encrypt Sensitive Data at Rest
3.12 Segment Data Processing and Storage Based on Sensitivity
3.13 Deploy a Data Loss Prevention Solution
3.14 Log Sensitive Data Access
3.9 3.11