Back

Encrypt traffic over networks with trusted cryptographic keys.


CONTROL ID
12490
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Use strong data encryption to transmit in scope data or in scope information, as necessary., CC ID: 00564

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An FI which provides payment card services should implement adequate safeguards to protect sensitive payment card data. The FI should ensure that sensitive payment card data is encrypted to ensure the confidentiality and integrity of these data in storage and transmission, and the processing of sens… (§ 13.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Video conferencing and IP telephony signalling and data is encrypted. (Security Control: 0547; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Information communicated over network infrastructure in areas not authorised for the processing of such information is encrypted as if it was communicated through unsecured spaces. (Security Control: 0157; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Information communicated between database servers and web applications is encrypted. (Security Control: 1277; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Data communicated between database servers and web servers is encrypted. (Control: ISM-1277; Revision: 4, Australian Government Information Security Manual, June 2023)
  • All data communicated over network infrastructure is encrypted. (Control: ISM-1781; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Data communicated between database servers and web servers is encrypted. (Control: ISM-1277; Revision: 4, Australian Government Information Security Manual, September 2023)
  • All data communicated over network infrastructure is encrypted. (Control: ISM-1781; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The control system shall provide the capability to employ cryptographic mechanisms to recognize changes to information during communication. (7.3.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to protect the confidentiality of information at rest and remote access sessions traversing an untrusted network. (8.3.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to protect the confidentiality of information traversing any zone boundary. (8.3.3.2 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption st… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption st… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are only trusted keys and/or certificates accepted? (4.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine keys and certificates to verify that only trusted keys and/or certificates are accepted. (4.1.d, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Review documented policies and procedures to verify processes are specified for the following: - For acceptance of only trusted keys and/or certificates - For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported) - For imp… (4.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Offline - Encryption/decryption of files at the user sites before entering the data communications process is acceptable. These encrypted files would then be attached to or enveloped (tunneled) within an unencrypted header and/or transmission. (ACCEPTABLE ENCRYPTION APPROACHES - SOFTWARE-BASED ENCRYPTION: 5., HIPAA HCFA Internet Security Policy, November 1998)
  • The out-of-band device SHOULD be uniquely addressable and communication over the secondary channel SHALL be encrypted unless sent via the public switched telephone network (PSTN). For additional authenticator requirements specific to the PSTN, see Section 5.1.3.3. Methods that do not prove possessio… (5.1.3.1 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • For mesh networks, consider the use of broadcast key versus public key management implemented at OSI Layer 2 to maximize performance. Asymmetric cryptography should be used to perform administrative functions, and symmetric encryption should be used to secure each data stream as well as network cont… (§ 6.2.1.5 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Orchestration platforms should be configured to provide features that create a secure environment for all the apps they run. Orchestrators should ensure that nodes are securely introduced to the cluster, have a persistent identity throughout their lifecycle, and can also provide an accurate inventor… (4.3.5 ¶ 1, NIST SP 800-190, Application Container Security Guide)