Encryption in transit
Demonstrate that all data transmissions containing sensitive or regulated information are protected by strong encryption protocols that prevent unauthorized interception or modification during transit.
Description
What this control does
Encryption in transit protects data while it moves between systems, networks, or components by encoding it using cryptographic protocols such as TLS 1.2 or higher, SSH, IPsec, or equivalent. This control mandates that all sensitive or regulated data traversing untrusted or public networks must be encrypted to prevent interception, eavesdropping, or man-in-the-middle attacks. Implementation typically involves configuring servers, applications, and network devices to enforce encrypted connections and reject unencrypted protocols.
Control objective
What auditing this proves
Demonstrate that all data transmissions containing sensitive or regulated information are protected by strong encryption protocols that prevent unauthorized interception or modification during transit.
Associated risks
Risks this control addresses
- Attackers intercept unencrypted network traffic to capture credentials, personally identifiable information, or intellectual property
- Man-in-the-middle attacks manipulate data streams to inject malicious payloads or alter transaction content
- Session hijacking occurs when attackers capture session tokens transmitted in cleartext over unencrypted channels
- Insider threats or malicious network administrators eavesdrop on internal communications lacking encryption
- Compliance violations result from transmitting regulated data (PHI, PCI, PII) over unencrypted connections
- Legacy systems using deprecated protocols (SSLv3, TLS 1.0/1.1) expose organizations to known cryptographic vulnerabilities
- Lateral movement by adversaries who capture credentials from unencrypted internal communications between application tiers or databases
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain network diagrams, data flow diagrams, and system architecture documentation to identify all data transmission paths involving sensitive information.
- Review encryption policies, standards, and configuration baselines to confirm required encryption protocols, cipher suites, and minimum TLS/SSL versions are documented.
- Select a representative sample of systems, applications, APIs, and network segments that handle sensitive data across different environments (production, staging, external-facing).
- Perform network traffic analysis using packet capture tools (Wireshark, tcpdump) or SSL/TLS inspection proxies to verify encryption is active on sampled connections.
- Execute vulnerability scans or use SSL Labs, testssl.sh, or equivalent tools to assess TLS configuration strength, protocol versions, cipher suites, and certificate validity.
- Review server and application configuration files (web servers, load balancers, APIs, databases) to confirm enforcement of encrypted protocols and rejection of plaintext connections.
- Test authentication and data submission workflows by attempting connections using deprecated protocols or weak ciphers to verify they are blocked.
- Interview system administrators and developers to validate understanding of encryption requirements, key management practices, and procedures for addressing encryption failures or exceptions.
Where this control is tested