Is sensitive data protected with encryption (at rest, in transit) and DLP?
Demonstrate that sensitive data is encrypted using industry-standard algorithms at rest and in transit, and that DLP policies are actively enforced to prevent unauthorized data movement or exfiltration.
Description
What this control does
This control ensures that sensitive data is protected through cryptographic mechanisms both when stored (at rest) and during transmission (in transit), supplemented by Data Loss Prevention (DLP) tools that monitor, detect, and block unauthorized data movement. Encryption at rest protects data on storage media using algorithms like AES-256, while encryption in transit uses protocols such as TLS 1.2+ or IPsec for network communications. DLP solutions enforce policies that prevent sensitive data from being copied, transmitted, or exfiltrated through endpoints, email, cloud services, or removable media. The combination of these controls reduces the risk of data exposure from theft, loss, interception, or insider actions.
Control objective
What auditing this proves
Demonstrate that sensitive data is encrypted using industry-standard algorithms at rest and in transit, and that DLP policies are actively enforced to prevent unauthorized data movement or exfiltration.
Associated risks
Risks this control addresses
- Interception of unencrypted data during transmission over untrusted networks by man-in-the-middle attackers
- Unauthorized access to sensitive data on stolen or improperly decommissioned storage devices lacking encryption
- Insider threats exfiltrating sensitive information via email, cloud storage, or removable media without detection
- Data exposure through misconfigured cloud storage buckets or databases with disabled encryption settings
- Compliance violations and regulatory penalties due to failure to protect personally identifiable information (PII) or payment card data
- Ransomware or malware attacks gaining access to plaintext sensitive data without cryptographic barriers
- Loss of confidentiality when backup media containing unencrypted sensitive data is lost or improperly handled
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy and inventory of systems processing sensitive data categories (PII, PHI, financial, intellectual property).
- Select a representative sample of databases, file servers, SaaS applications, and endpoints known to store sensitive data.
- Review encryption configuration settings for each sampled system, verifying encryption algorithm strength (e.g., AES-256), key management practices, and certificate validity.
- Capture network traffic samples using packet analysis tools between client and server endpoints to verify TLS/SSL protocol versions and cipher suites for data in transit.
- Examine DLP policy configuration in the deployed solution, including content inspection rules, data classification tags, egress channel controls (email, web, USB, cloud), and enforcement actions (block, quarantine, alert).
- Review DLP incident logs and alerts from the past 90 days to verify active detection of policy violations and responsiveness of security teams.
- Test DLP enforcement by simulating transmission of sample sensitive data through monitored channels (e.g., emailing a test file containing mock PII or credit card numbers).
- Interview system administrators and security engineers to confirm encryption key rotation procedures, key escrow arrangements, and disaster recovery plans for encrypted data.