Use strong data encryption to transmit in scope data or in scope information, as necessary.

Back

CONTROL ID
00564

CONTROL TYPE
Technical Security

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Manage the use of encryption controls and cryptographic controls., CC ID: 00570

This Control has the following implementation support Control(s):

Ensure restricted data or restricted information are encrypted prior to or at the time of transmission., CC ID: 01749
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls., CC ID: 12492
Encrypt traffic over networks with trusted cryptographic keys., CC ID: 12490
Authorize transactions of data transmitted over public networks or shared data networks., CC ID: 00566
Implement non-repudiation for transactions., CC ID: 00567
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks., CC ID: 00568
Protect application services information transmitted over a public network from unauthorized modification., CC ID: 12021
Protect application services information transmitted over a public network from unauthorized disclosure., CC ID: 12020
Protect application services information transmitted over a public network from contract disputes., CC ID: 12019
Protect application services information transmitted over a public network from fraudulent activity., CC ID: 12018

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

In addition to the controls set out above, where there is an operational need (e.g. for customer statement printing) for AIs to transmit customer data to their service providers over public network, strong data encryption should be in place to protect the customer data during transmission. (Annex I. ¶ 2, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
ensuring that adequate encryption mechanisms and other controls are in place to protect the confidentiality and integrity of any sensitive information and documents submitted by the customers via the AIs' corporate websites; (§ 6.2.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
ensuring that adequate encryption mechanisms and other controls are in place to protect the confidentiality and integrity of any sensitive information and documents submitted by the customers; (§ 6.2.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
Controls over mobile computing are required to manage the risks of working in an unprotected environment. In protecting AIsâ information, AIs should establish control procedures covering: - an approval process for user requests for mobile computing; - authentication controls for remote access to n… (3.5.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
encrypt sensitive information such as client login credentials (ie, user ID and password) and trade data during transmission between internal networks and client devices; and (1.4. ¶ 1 (a), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
T26.6: For data transmission, the organization should use encryption and other required security controls to prevent personal identification numbers and passwords from becoming known. T29: The organization should encrypt important data to prevent it from being leaked via wiretapping. (T26.6, T29, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Banks should encrypt customer account and transaction data which is transmitted, transported, delivered or couriered to external parties or other locations, taking into account all intermediate junctures and transit points from source to destination. (Critical components of information security 15) ix., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Using encryption to protect communications between the access device and the institution and to protect sensitive data residing on the access device (Critical components of information security 25) iii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; (Article 28(1)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
As mobile devices are susceptible to theft and loss, the FI should ensure that there is adequate protection of sensitive or confidential information used for mobile online services and payments. The FI should have sensitive or confidential information encrypted to ensure the confidentiality and inte… (§ 12.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
For the purpose of exchanging confidential information between the FI and its external parties, the FI should take utmost care to preserve the confidentiality of all confidential information. For this purpose, the FI should at all times take appropriate measures including sending information through… (§ 9.1.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
To protect sensitive cryptographic keys, the FI should manage, process and store such keys in hardened and tamper resistant systems, e.g. by using a hardware security module. (§ 10.2.4, Technology Risk Management Guidelines, January 2021)
Where sensitive cryptographic keys need to be transmitted, the FI should ensure these keys are not exposed during transmission. The keys should be distributed to the intended recipient via an out-of-band channel or other secure means to minimise the risk of interception. (§ 10.2.5, Technology Risk Management Guidelines, January 2021)
data in motion - data that traverses a network or that is transported between sites; (§ 11.1.1(a), Technology Risk Management Guidelines, January 2021)
The FI should secure its communications channels to protect customer data. This can be achieved through data encryption and digital signatures. (§ 14.1.2, Technology Risk Management Guidelines, January 2021)
Encrypt or password protect attachments containing personal data that has a higher risk of adversely affecting the individual should it be compromised. The password should be communicated separately. For encryption, review the method of encryption (e.g. algorithm and key length) periodically to ensu… (Annex A1: Email Security 55, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
Apply secure connection technologies or protocols when transmitting electronic personal data, such as over a computer network or from one network to another. (Annex A2: Computer Network Security 8, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems. (Security Control: 0232; Revision: 3, Australian Government Information Security Manual, March 2021)
Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure. (Security Control: 1085; Revision: 2, Australian Government Information Security Manual, March 2021)
Cryptographic equipment or encryption software that implements an ASD Approved Cryptographic Protocol (AACP) is used to communicate sensitive information over public network infrastructure and through unsecured spaces. (Security Control: 1162; Revision: 3, Australian Government Information Security Manual, March 2021)
Cryptographic equipment or encryption software that has completed an ACE is used to communicate classified information over official networks, public network infrastructure and through unsecured spaces. (Security Control: 0465; Revision: 6, Australian Government Information Security Manual, March 2021)
HACE is used to communicate highly classified information over networks of a lower classification, official networks, public network infrastructure and through unsecured spaces. (Security Control: 0467; Revision: 8, Australian Government Information Security Manual, March 2021)
The ESP protocol is used for IPsec connections. (Security Control: 0496; Revision: 4, Australian Government Information Security Manual, March 2021)
ASD approved cryptography is used to protect the confidentiality and integrity of all wireless network traffic. (Security Control: 1332; Revision: 2, Australian Government Information Security Manual, March 2021)
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. (Security Control: 0494; Revision: 3, Australian Government Information Security Manual, March 2021)
All web application content is offered exclusively using HTTPS. (Security Control: 1552; Revision: 0, Australian Government Information Security Manual, March 2021)
Data is encrypted at rest and in transit between different systems. (P7:, Australian Government Information Security Manual, June 2023)
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure. (Control: ISM-1085; Revision: 4, Australian Government Information Security Manual, June 2023)
When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure. (Control: ISM-0241; Revision: 4, Australian Government Information Security Manual, June 2023)
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems. (Control: ISM-0232; Revision: 3, Australian Government Information Security Manual, June 2023)
An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure. (Control: ISM-0469; Revision: 6, Australian Government Information Security Manual, June 2023)
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. (Control: ISM-0494; Revision: 3, Australian Government Information Security Manual, June 2023)
Data is encrypted at rest and in transit between different systems. (P7:, Australian Government Information Security Manual, September 2023)
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure. (Control: ISM-1085; Revision: 4, Australian Government Information Security Manual, September 2023)
When sending fax messages, the fax message is encrypted to an appropriate level to be communicated over unsecured telecommunications infrastructure. (Control: ISM-0241; Revision: 4, Australian Government Information Security Manual, September 2023)
Telephone systems used for sensitive or classified conversations encrypt all traffic that passes over external systems. (Control: ISM-0232; Revision: 3, Australian Government Information Security Manual, September 2023)
An ASD-Approved Cryptographic Protocol (AACP) or high assurance cryptographic protocol is used to protect data when communicated over network infrastructure. (Control: ISM-0469; Revision: 6, Australian Government Information Security Manual, September 2023)
Tunnel mode is used for IPsec connections; however, if using transport mode, an IP tunnel is used. (Control: ISM-0494; Revision: 3, Australian Government Information Security Manual, September 2023)
The organization must use approved encryption methods for communicating sensitive information or classified information over public network infrastructure or infrastructure located in unsecured areas. (Control: 0157, Australian Government Information Security Manual: Controls)
The organization must ensure sensitive or classified fax messages are encrypted when they are communicated over an unsecured telecommunications infrastructure or a Public Switched Telephone Network. (Control: 0241, Australian Government Information Security Manual: Controls)
The organization must ensure sensitive traffic or classified traffic being sent over external telephone systems is encrypted. (Control: 0232 Bullet 2, Australian Government Information Security Manual: Controls)
Communications of sensitive information or classified information between web applications and database systems must be encrypted. (Control: 1277, Australian Government Information Security Manual: Controls)
The organization must enable Transport Layer Security encryption on e-mail servers that have incoming e-mail connections or outgoing e-mail connections over the public network infrastructure. (Control: 0572, Australian Government Information Security Manual: Controls)
The organization must use a DSD Approved Cryptographic Protocol encryption product to communicate sensitive information over the public network infrastructure. (Control: 1162, Australian Government Information Security Manual: Controls)
The organization must use a common criteria-evaluated encryption product with a Defence Signals Directorate cryptographic evaluation to communicate classified information over the public network infrastructure. (Control: 0465, Australian Government Information Security Manual: Controls)
The organization must use High Grade Cryptographic Equipment to communicate classified information over networks of a lower classification or the public network infrastructure. (Control: 0467, Australian Government Information Security Manual: Controls)
The organization must use a DSD Approved Cryptographic Algorithm, at a minimum, to protect Australian Eyes Only information and Australian Government Access Only information when it is in transit, in addition to encryption that is already implemented for communication mediums. (Control: 0469, Australian Government Information Security Manual: Controls)
The organization should protect Internet Protocol telephony signaling, video conferencing signaling, and the data to ensure integrity, confidentiality, authenticity, availability, and non-replayability. (Control: 0547, Australian Government Information Security Manual: Controls)
The organization must use an approved encryption methodology on mobile devices that communicate sensitive information or classified information over a public network infrastructure. (Control: 1085, Australian Government Information Security Manual: Controls)
The organization should use cryptographic techniques to control access to sensitive information and sensitive data in transit. (¶ 50, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should implement cryptographic techniques for transmitting critical data, critical information, sensitive data, and/or sensitive data in untrusted environments. (Attach F ¶ 1(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Att… (54., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
transmission and storage of critical and/or sensitive data in an 'untrusted' environment or where a higher degree of security is required; (Attachment E 1(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
In APRA's view, cryptographic techniques would normally be used to control access to sensitive data/information, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data/information as well as other s… (¶ 50, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
encryption of data at rest and in transit (in accordance with the data classification). (3.4.4 36(f), Final Report EBA Guidelines on ICT and security risk management)
The recording of communications and related traffic data is authorized for lawful business practices for the purpose of providing proof of a transaction or any other business communications. (Art 5.2, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
Using strong encryption procedures (e. g. AES) and the use of secure network protocols that correspond to the state of the art (e. g. TLS, IPsec, SSH) (Section 5.8 KRY-01 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
When personal data is used or processed automatically, the authorities or enterprises internal organization must be arranged to meet the specific requirements of data protection. Measures need to be taken for the type of personal data or data categories to be protected to ensure personal data cannot… (Annex, German Federal Data Protection Act, September 14, 1994)
Messages and identification data may be protected by any technical means that the subscribers and users wish to use. This protection must not interfere with the use of any communications or network service. (§ 6(1), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
App 2 Â¶ 14.e: For IT systems that process and access restricted information, the system shall use commercial encryption devices to transmit or electronically access restricted information via a public network. For pressing business needs, restricted information may be transmitted in clear text for … (App 2 ¶ 14.e, App 6 ¶ 15.e, The Contractual process, Version 5.0 October 2010)
User data transiting networks should be adequately protected against tampering and eavesdropping. (1. ¶ 1, Cloud Security Guidance, 1.0)
Data transiting networks should be adequately protected against tampering and eavesdropping through a combination of network protection and encryption. (1: ¶ 1, Cloud Security Guidance, 1.0)
User data transiting networks should be adequately protected against tampering and eavesdropping. (1. ¶ 1, Cloud Security Guidance, 2)
You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. (B3.b ¶ 1, NCSC CAF guidance, 3.1)
The entity uses data encryption to supplement other measures to protect data in transit and at rest when such protections are deemed appropriate based on the assessed level of risk. The entity administrates, maintains and manages its encryption key management systems and regularly backs up its key s… (S7.1 Uses encryption to protect data, Privacy Management Framework, Updated March 1, 2020)
Encryption technologies or secure communication channels are used to protect data in transit and at rest, and communications of such data beyond the entity's established connectivity mechanisms are logical with physical access points. (S7.3 Uses encryption technologies or secure communication channels to protect data, Privacy Management Framework, Updated March 1, 2020)
Use of strong cryptography for transmission of cardholder data (4.5, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Enable encryption for all broadcast transmissions (Encryption Mode 3). (4.4.3 G, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Use application-level (on top of the Bluetooth stack) authentication and encryption for sensitive data communication such as SSL. (4.4.3 J, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Use only strong security protocols, such as SSLv3. (4.5.1 A, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Call centers will need to ensure that transmission of cardholder data across public networks is encrypted. (Pg. 9 ¶ 1, Information Supplement: Protecting Telephone-based Payment Card Data, Version 2.0)
Verify the use of strong encryption (for example, Secure Sockets Layer and Transport Layer Security or Internet Protocol Security) wherever cardholder data is transmitted or received over open, public networks. (§ 4.1.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies. (§ 4.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Identify all locations where cardholder data is transmitted over open, public networks and examine the configurations to verify each location is using strong cryptography and security protocols for the transmissions. (Testing Procedures § 4.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Select and observe a sample of inbound transmissions and outbound transmissions to verify the cardholder data is encrypted during the transmission. (Testing Procedures § 4.1.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine the system configurations for Secure Socket Layer and Transport Layer Security implementations to verify Secure Socket Layer and Transport Layer Security is enabled whenever cardholder data is transmitted or received. (Testing Procedures § 4.1.g, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Identify the wireless networks that transmit cardholder data or connected to a cardholder data environment and examine the configuration settings to verify that industry best practices are used to implement strong encryption for authentication and transmission. (Testing Procedures § 4.1.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Identify the wireless networks that transmit cardholder data or connected to a cardholder data environment and examine the configuration settings to verify that weak encryption is not used as a security control for authentication or transmission. (Testing Procedures § 4.1.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The organization must ensure sensitive cardholder data transmitted over public networks are safeguarded with the use of strong cryptography. (§ 4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Select a sample of transactions as they are received and observe transactions as they occur to verify the use of strong encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks. (§ 4.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies. (§ 4.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify the use of security protocols wherever cardholder data is transmitted or received over open, public networks. (§ 4.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Select a sample of transactions as they are received and observe transactions as they occur to verify that the protocol is implemented to use only secure configurations, and does not support insecure versions or configurations. (§ 4.1.c Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Strong cryptography and security protocols that only accept trusted keys and certificates must be used to safeguard sensitive cardholder data during transmission over open, public networks. (PCI DSS Requirements § 4.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Strong cryptography where the encryption strength is appropriate for the encryption method must be used to safeguard sensitive cardholder data during transmission over open, public networks. (PCI DSS Requirements § 4.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Wireless networks that transmit cardholder data or connected to the cardholder data environment must use industry best practices for implementing strong encryption. (PCI DSS Requirements § 4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (8.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions o… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. (4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Encrypt transmission of cardholder data across open, public networks. (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (8.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Encrypt transmission of cardholder data across open, public networks. (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption st… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission. (4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Encrypt transmission of cardholder data across open, public networks. (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (8.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption st… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission. (4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? (4.1 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
For service providers only: Is strong cryptography used to render all non-consumer customersâ authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
For service providers only: Is strong cryptography used to render all non-consumer customersâ authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
Identify all locations where cardholder data is transmitted or received over open, public networks. Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. (4.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Select and observe a sample of inbound and outbound transmissions as they occur (for example, by observing system processes or network traffic) to verify that all cardholder data is encrypted with strong cryptography during transit. (4.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment. Examine documented standards and compare to system configuration settings to verify the following for all wireless networks identified: - Industry best practices are used to implement strong … (4.1.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission. (8.2.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Additional testing procedure for service provider assessments only: Observe data transmissions to verify that non-consumer customer passwords are unreadable during transmission. (8.2.1.e, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage. (8.2.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Â§ 4.5.1.A SSLv3 is mandatory for traffic that carries cardholder data. Â§ 4.5.1.B When possible, 256-bit encryption is preferred. (§ 4.5.1.A, § 4.5.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
Security protocols, such as SSL, TLS, and IPSEC, and strong cryptography should be used to encrypt cardholder data during transmissions over open, public networks. Examples of open, public networks include the Internet, WiFi, global system for mobile communications (GSM), and general packet radio se… (§ 12.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. (8.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine documented policies and procedures and interview personnel to verify processes are defined to include all elements specified in this requirement. (4.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine cardholder data transmissions to verify that all PAN is encrypted with strong cryptography when it is transmitted over open, public networks. (4.2.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine system configurations to verify that wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine documented policies and procedures to verify that processes are defined to secure PAN with strong cryptography whenever sent over end-user messaging technologies. (4.2.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine system configurations and vendor documentation to verify that PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine vendor documentation and system configuration settings to verify that authentication factors are rendered unreadable with strong cryptography during transmission and storage. (8.3.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine data transmissions to verify that authentication factors are unreadable during transmission. (8.3.2.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. (8.3.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. (8.3.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. (8.3.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission. (4.2.1.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies. (4.2.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. (8.3.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The organization should have a secure process to submit authorization requests through the Internet. The organization should use encryption for transaction data transmissions. (Pg 18, Pg 19, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
The security of instant messaging applications should be improved by using encryption to protect the contents of sensitive messages. (CF.15.02.03b, The Standard of Good Practice for Information Security)
Sensitive information in transit should be protected against unauthorized disclosure by using encryption (e.g., using secure sockets layer, Transport Layer Security, or equivalent). (CF.04.02.04a, The Standard of Good Practice for Information Security)
Information Systems and networks accessible by external connections should be designed to protect sensitive information stored on Information Systems and transmitted to external party locations (e.g., using encryption). (CF.09.03.02c, The Standard of Good Practice for Information Security)
The integrity of critical information should be protected by encrypting information when in transit. (CF.05.03.05a, The Standard of Good Practice for Information Security)
The security of instant messaging applications should be improved by using encryption to protect the contents of sensitive messages. (CF.15.02.03b, The Standard of Good Practice for Information Security, 2013)
Sensitive information in transit should be protected against unauthorized disclosure by using encryption (e.g., using secure sockets layer, Transport Layer Security, or equivalent). (CF.04.02.04a, The Standard of Good Practice for Information Security, 2013)
Information Systems and networks accessible by external connections should be designed to protect sensitive information stored on Information Systems and transmitted to external party locations (e.g., using encryption). (CF.09.03.02c, The Standard of Good Practice for Information Security, 2013)
The integrity of critical information should be protected by encrypting information when in transit. (CF.05.03.05a, The Standard of Good Practice for Information Security, 2013)
Verify that encrypted communications such as TLS is used for all inbound and outbound connections, including for management ports, monitoring, authentication, API, or web service calls, database, cloud, serverless, mainframe, external, and partner connections. The server must not fall back to insecu… (9.2.2, Application Security Verification Standard 4.0.3, 4.0.3)
Verify that the firmware apps protect data-in-transit using transport layer security. (C.7, Application Security Verification Standard 4.0.3, 4.0.3)
All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. (Control 14.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should use a secondary encryption channel for protocols that do not natively support strong encryption. (Critical Control 3.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The system should encrypt information whenever the information flows over a network of lower trust level. (Critical Control 15.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should encrypt all sensitive information that is communicated over less secure networks. (Critical Control 15.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: - Perimeter firewalls implemented and configured to restrict unauthorized traffic - Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interf… (EKM-03, Cloud Controls Matrix, v3.0)
Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separa… (EKM-04, Cloud Controls Matrix, v3.0)
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. (CEK-03, Cloud Controls Matrix, v4.0)
Use secure and encrypted communication channels when migrating servers, services, applications, or data to cloud environments. Such channels must include only up-to-date and approved protocols. (IVS-07, Cloud Controls Matrix, v4.0)
Policies and procedures shall be established and mechanisms implemented for encrypting sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging). (IS-18, The Cloud Security Alliance Controls Matrix, Version 1.3)
Electronic commerce (e-commerce) related data traversing public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data. (IS-28, The Cloud Security Alliance Controls Matrix, Version 1.3)
Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, 7.1)
Encrypt all sensitive information in transit. (CIS Control 14: Sub-Control 14.4 Encrypt All Sensitive Information in Transit, CIS Controls, 7.1)
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. (CIS Control 16: Sub-Control 16.5 Encrypt Transmittal of Username and Authentication Credentials, CIS Controls, 7.1)
Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, V7)
Encrypt all sensitive information in transit. (CIS Control 14: Sub-Control 14.4 Encrypt All Sensitive Information in Transit, CIS Controls, V7)
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. (CIS Control 16: Sub-Control 16.5 Encrypt Transmittal of Username and Authentication Credentials, CIS Controls, V7)
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH). (CIS Control 3: Safeguard 3.10 Encrypt Sensitive Data in Transit, CIS Controls, V8)
Â¶ 8.2.5(1) Cryptography. An organization should implement safeguards to assure cryptography procedures are in place. Cryptography is a mathematical means of transforming data to provide security. It can be used for many different purposes in IT security, for example, cryptography can help to provid… (¶ 8.2.5(1), ¶ 9.2 Table Row "Data Confidentiality Protection", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
Data Confidentiality Over Networks. In circumstances where preservation of confidentiality is important, encryption safeguards should be considered to encrypt information passing over network connections. The decision to use encryption safeguards should take account of: â¢ relevant government laws … (¶ 13.9, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
Online transactions should be protected against misrouting, incomplete transmission, unauthorized disclosure, duplication, and message alteration. Organizations using online transactions should ensure that user credentials are verified; the communications path is encrypted; electronic signatures are… (§ 10.9.2, ISO 27002 Code of practice for information security management, 2005)
PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. (§ A.10.6 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. (§ A.11.6 ¶ 2, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
The organization should subject PII transmitted over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination. (§ 8.4.3 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
The organization should subject PII transmitted (e.g sent to another organization) over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination. (§ 7.4.9 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. (CC6.7 ¶ 2 Bullet 2 Uses Encryption Technologies or Secure Communication Channels to Protect Data, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-2.2, CRI Profile, v1.2)
Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Security Prin. and Criteria Table § 3.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Availability Prin. and Criteria Table § 3.9, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Processing Integrity Prin. and Criteria Table § 3.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Confidentiality Prin. and Criteria Table § 3.12, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Personal information that is collected and transmitted over the Internet, wireless networks, and other public or nonsecure networks are protected with industry standard encryption technology. (Generally Accepted Privacy Principles and Criteria § 8.2.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The privacy notice should describe general types of security measures the organization uses to protect personal information, such as encrypting personal information that is sent over the Internet. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The organization should encrypt personal information that it collects and transmits over wireless networks. (Table Ref 8.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. (CC6.7 Uses Encryption Technologies or Secure Communication Channels to Protect Data, Trust Services Criteria)
Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. (CC6.7 ¶ 2 Bullet 2 Uses Encryption Technologies or Secure Communication Channels to Protect Data, Trust Services Criteria, (includes March 2020 updates))
Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media; (Section 4.D ¶ 1(2)(d), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
encrypting data in motion, (e.g., encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 14, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
Is wireless networking technology encrypted using strong encryption (Wireless Fidelity Protected Access v2 or higher)? (§ G.12.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When scoped data is sent or received electronically or via physical media, is the data encrypted during transit while outside the network? (§ G.14.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When scoped data is sent or received electronically, is the data encrypted when it is sent via e-mail? (§ G.14.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On UNIX computers or Linux computers that transmit scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On UNIX computers or Linux computers that process scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On UNIX computers or Linux computers that store scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that transmit scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that process scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On windows systems that store scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that transmit scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that process scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that store scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that transmit scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that process scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that store scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that transmit scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that process scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that store scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that transmit scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that process scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that store scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
When encryption tools are managed and maintained for scoped data, are encryption keys encrypted when transmitted? (§ I.6.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
For cloud computing services, is scoped data encrypted when transiting to third party vendors? (§ V.1.11.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing application program interfaces, is scoped data encrypted in the Application Program Interface response? (§ V.1.39.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing application program interfaces, is scoped data encrypted in the Application Program Interface request? (§ V.1.39.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are passwords encrypted in transit? (§ V.1.72.17, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Â§ 4.3 Â¶ 2: The organization shall not transport data that includes personally identifiable information from a CMS data center, unless it is encrypted. The encryption requirement may be waived with written approval from the data's business owner, followed by "wet" signatures by the CMS chief inform… (§ 4.3 ¶ 2, Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
Â§ 7 Â¶ 1: The organization must use technologies that let users prove who they say they are and encrypt data to avoid inappropriate disclosure or modification, so data can travel over the Internet safely and only be disclosed to authorized parties. The organization must implement encryption at a le… (§ 7 ¶ 1, § 7 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
S-MIME - Standard commercial implementations of encryption in the e-mail layer are acceptable. (ACCEPTABLE ENCRYPTION APPROACHES - SOFTWARE-BASED ENCRYPTION: 3., HIPAA HCFA Internet Security Policy, November 1998)
HCFA Privacy Act-protected and/or other sensitive HCFA information sent over the Internet must be accessed only by authorized parties. Technologies that allow users to prove they are who they say they are (authentication or identification) and the organized scrambling of data (encryption) to avoid i… (§ 7 ¶ 1, HIPAA HCFA Internet Security Policy, November 1998)
The organization must protect sensitive data that is transmitted electronically outside the secured network, from source to destination, using a FIPS-approved encryption standard and via secured communications. Cryptographic mechanisms must be used to recognize changes and to prevent unauthorized in… (CSR 10.4.5, CSR 10.10.1(4), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (§ III.C(1)(c), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
The information assurance manager must ensure that Department of Defense sensitive data that is transiting non-department of defense networks or wireless networks is protected with a Federal Information Processing Standard 140-2 validated cryptographic module using a National Institute of Standards … (§ 3.4.2.1 ¶ AC34.065, DISA Access Control STIG, Version 2, Release 3)
The security administrator must configure the biometric system to encrypt and digitally sign all biometric reference data before transmitting it using Department of Defense-approved Public Key Infrastructure. (§ 4.6 ¶ BIO2009, DISA Access Control STIG, Version 2, Release 3)
The security administrator must configure the biometric system to encrypt transmissions from one device to another with National Institute of Standards and Technology Federal Information Processing Standard 140-2 validated cryptography. (§ 4.6 ¶ BIO2010, DISA Access Control STIG, Version 2, Release 3)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.L2-3.13.8 Data in Transit, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
Customer data-in-transit encryption protections using FIPS 140-2 validated cryptographic modules operated in FIPS mode. This requirement addresses customer data transiting public and private Wide Area Networks (WAN) (i.e., Internet, NIPRNet, CSP's WAN) and Local Area Networks (LANs) from the custome… (Section 5.10.3.1 ¶ 2 Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Implement a secure (encrypted) connection or path between the ACAS server and its assigned ACAS Security Center. (Section 5.10.6 ¶ 1 Bullet 13, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
Implement a secure (encrypted) connection or path between the HBSS agents and their control server. (Section 5.10.6 ¶ 1 Bullet 12, sub-bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
National Security Agency-approved cryptography must be used to separately encrypt classified data that is transmitted through a network that is cleared at a lower level than the transmitted data. (ECCT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Information that must be separated from other information for need-to-know reasons, while it is in transit through a network at the same classification level, must be encrypted with National Institute of Standards and Technology-certified cryptography, at a minimum. (ECNK-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Source and Methods Intelligence information that must be separated from other information for need-to-know reasons, while it is in transit through a network at the same classification level, must be encrypted with National Security Agency-approved cryptography. (ECNK-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Â§ 170.210(c): To verify electronic health information has not been altered in transit, a hashing algorithm that has a security strength equal to or greater than SHA-1 must be used. Â§ 170.302(v): Complete electronic health records (EHRs) or EHR modules must be capable of encrypting and decrypting e… (§ 170.210(c), § 170.302(v), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
Use of encryption and the transmission of sensitive/confidential information over the Internetâaddress agency policy, procedures, and technical contact for assistance. (§ 5.2.1.3 ¶ 1(9), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Prevent CJI from being transmitted unencrypted across the public network. (§ 5.10.1 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption. When encryption is employed, the cryptographic module used shall be FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to pro… (§ 5.10.1.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Verifiers shall use approved encryption and an authenticated protected channel when requesting passwords to protect against eavesdropping and Man-in-the-Middle (MitM) attacks. (§ 5.6.2.1.1.2 ¶ 1(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
CJI transmitted via a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server, application or service which implements email-like technology, shall meet the encryption req… (§ 5.10.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Verifiers shall use approved encryption and an authenticated protected channel when requesting passwords to protect against eavesdropping and Man-in-the-Middle (MitM) attacks. (§ 5.6.2.1.1.2 ¶ 1 8., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
CJI transmitted via a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server, application or service which implements email-like technology, shall meet the encryption req… (§ 5.10.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption. When encryption is employed, the cryptographic module used shall be FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to pro… (§ 5.10.1.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Encrypt network traffic within the virtual environment. (§ 5.10.3.2 ¶ 2 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 13, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
All wireless transactions should be encrypted. (Pg E-2, Obj 5.2, FFIEC IT Examination Handbook - E-Banking, August 2003)
The organization should implement internal controls for processing transactions. (Pg C-7, FFIEC IT Examination Handbook - Operations, July 2004)
Encrypted data transmission and storage. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service p… (App A Tier 2 Objectives and Procedures C.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service p… (Exam Tier II Obj 3.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
Encryption should be used to protect data and prevent unauthorized access throughout the transfer system. (Pg 20, Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer … (§ 314.4 ¶ 1(c)(3), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), FedRAMP Security Controls High Baseline, Version 5)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), FedRAMP Security Controls Low Baseline, Version 5)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), FedRAMP Security Controls Moderate Baseline, Version 5)
The IRS's Secure Data Transfer program must be used when Federal Tax Information is transmitted between the IRS and the receiving agency. The system must protect the integrity of all transmitted information. (§ 2.3, Exhibit 4 SC-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Is the information for correspondence or transactions on the website that takes place between the Credit Union and its members adequately secured? (IT - General Q 44, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Has the Credit Union implemented the encryption of electronic member information that is in transit? (IT - 748 Compliance Q 6c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Is sensitive data encrypted when it is transmitted or received over the Internet and over the Credit Union's network during member sessions? (IT - Security Program Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
The verifier SHALL use approved encryption and an authenticated protected channel when requesting memorized secrets in order to provide resistance to eavesdropping and MitM attacks. (5.1.1.2 ¶ 12, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
Protocols requiring the transfer of keying information SHALL use a secure method during the registration process to exchange keying information needed to operate the federated relationship, including any shared secrets or public keys. Any symmetric keys used in this relationship SHALL be unique to a… (5.1.1 ¶ 4, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
Protocols requiring the transfer of keying information SHALL use a secure method during the registration process to establish such keying information needed to operate the federated relationship, including any shared secrets or public keys. Any symmetric keys used in this relationship SHALL be uniqu… (5.1.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
All communications involved in the administration and network management of WLAN equipment, such as access points and authentication servers, should use strong authentication and encryption. An IPsec connection should be established between each access point and its associated authentication server. (Table 8-1 Item 6, Table 8-4 Item 41, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Data-in-transit is protected (PR.DS-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Data-in-transit is protected (PR.DS-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Data-in-transit is protected. (PR.DS-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
Organizational records and documents should be examined to ensure the integrity of transmitted information is protected; integrity protection mechanisms are in place; cryptographic mechanisms are being used to recognize information changes during transmission, unless the system is protected by alter… (SC-8, SC-8(1), SC-8.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Sensitive data communications should use application-level authentication and encryption. (Table 4-2 Item 20, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
Stores and transmits only cryptographically-protected passwords; (IA-5(1) ¶ 1(c) Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Stores and transmits only cryptographically-protected passwords; (IA-5(1) ¶ 1(c) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Stores and transmits only cryptographically-protected passwords; (IA-5(1) ¶ 1(c) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Data in transit should be protected by authentication and encryption. The authentication and encryption features available on the handheld device should be enabled as the default setting. (§ 4.1.4, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
Data-in-transit are protected. (PR.DS-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization may protect the confidentiality of Personally Identifiable Information that is electronically transmitted by encrypting the communications or encrypting the information before transmitting it. (§ 4.3 Bullet Transmission Confidentiality (SC-9), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
Organizations should configure their development tools, orchestrators, and container runtimes to only connect to registries over encrypted channels. The specific steps vary between tools, but the key goal is to ensure that all data pushed to and pulled from a registry occurs between trusted endpoint… (4.2.1 ¶ 1, NIST SP 800-190, Application Container Security Guide)
The smart grid Information System must protect the communicated information's confidentiality. (SG.SC-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
The organization must protect the integrity of transmitted information. (App F § SC-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should use cryptographic security for information transmission unless protected with physical measures. (App F § SC-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The information system protects the {confidentiality} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system protects the {integrity} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system protects the {integrity} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system protects the {confidentiality} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system protects the {confidentiality} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
The information system protects the {integrity} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Transmit passwords only over cryptographically-protected channels; (IA-5(1) ¶ 1(c), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The confidentiality, integrity, and availability of data-in-transit are protected (PR.DS-02, The NIST Cybersecurity Framework, v2.0)
All banking information should be sent over an encrypted line that is, at a minimum, equivalent to 128-bit RC4 technology. (Network Security Amendment, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (§ III. C. 1.(c), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
The organization must have controls in place to ensure there is reasonable assurance that transactions are recorded. (§ 240.15d-15(f)(2), 17 CFR Part 240.15d-15, Controls and Procedures)
Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on any laptop computer or other portable computing or storage device or media. (Section 27-62-4(d)(2) d., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Require an individual to transmit his or her social security number over the internet, unless the connection is secure or the social security number is encrypted; (6-1-715 (1)(c), Colorado Revised Statutes, Title 6, Consumer and Commercial Affairs, Fair Trade and Restraint of Trade, Article 1, Colorado Consumer Protection Act)
encryption of all personal information while being transmitted on a public Internet network or wirelessly, (§ 38a-999b(b)(2)(B)(iii), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
Protection, by encryption or other appropriate means, of all nonpublic information while such information is transmitted over an external network or stored on a laptop computer or other portable computing or storage device or medium; (Part VI(c)(4)(B)(iv), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Protect by encryption or other appropriate means all nonpublic information while the nonpublic information is transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§ 8604.(d)(2) d., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§431:3B-203(2)(D), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
Protecting by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (Sec. 18.(2)(D), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Protect by encryption or other appropriate means, all nonpublic information while the nonpublic information is transmitted over an external network, and all nonpublic information that is stored on a laptop computer, a portable computing or storage device, or portable computing or storage media. (507F.4 4.b.(4), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Protect by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§2504.D.(2)(d), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Protect, by encryption or other appropriate means, all nonpublic information while it is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§2264 4.B.(4), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Protecting by encryption or other appropriate means all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (Sec. 555.(4)(b)(iv), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
protect, by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 60A.9851 Subdivision 4(2)(iv), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 83-5-807 (4)(b)(iv), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media. (§ 420-P:4 IV.(b)(4), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Protect by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (26.1-02.2-03. 4.b.(4), North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Protect by encryption or other appropriate means all nonpublic information while such information is being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (Section 3965.02 (D)(2)(d), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
General rule.--An entity that maintains, stores or manages computerized data on behalf of the Commonwealth that constitutes personal information shall utilize encryption, or other appropriate security measures, to reasonably protect the transmission of personal information over the Internet from bei… (§ 2305a. (a), Pennsylvania Statutes Title 73 Chapter 43, Breach of Personal Information Notification Act)
protecting by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (SECTION 38-99-20. (D)(2)(d), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
Protect by encryption or other appropriate means nonpublic information being transmitted over an external network and nonpublic information stored on a laptop computer or other portable computing or storage device or media; (§ 56-2-1004 (4)(B)(iv), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted; (§ 47-18-2110(a)(2), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), TX-RAMP Security Controls Baseline Level 1)
Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), TX-RAMP Security Controls Baseline Level 2)
Protect, by encryption or other means, nonpublic information being transmitted over an external network and nonpublic information stored on a portable computer or storage device or media. (§ 601.952(3)(b)4., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)