Back

Use strong data encryption to transmit restricted data or restricted information over public networks.


CONTROL ID
00564
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Manage the use of encryption controls and cryptographic controls., CC ID: 00570

This Control has the following implementation support Control(s):
  • Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls., CC ID: 12492
  • Encrypt traffic over public networks with trusted cryptographic keys., CC ID: 12490
  • Authorize transactions of data transmitted over public networks or shared data networks., CC ID: 00566
  • Implement non-repudiation for transactions., CC ID: 00567
  • Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks., CC ID: 00568
  • Protect application services information transmitted over a public network from unauthorized modification., CC ID: 12021
  • Protect application services information transmitted over a public network from unauthorized disclosure., CC ID: 12020
  • Protect application services information transmitted over a public network from contract disputes., CC ID: 12019
  • Protect application services information transmitted over a public network from fraudulent activity., CC ID: 12018


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • ensuring that adequate encryption mechanisms and other controls are in place to protect the confidentiality and integrity of any sensitive information and documents submitted by the customers via the AIs' corporate websites; (§ 6.2.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should adopt secure and internationally-recognised strong encryption algorithms to protect the confidentiality of customers' information transmitted over external networks including the Internet, and highly sensitive information (e.g. this refers mainly to customers' login credentials such as e-… (§ 5.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • ensuring that adequate encryption mechanisms and other controls are in place to protect the confidentiality and integrity of any sensitive information and documents submitted by the customers; (§ 6.2.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Controls over mobile computing are required to manage the risks of working in an unprotected environment. In protecting AIs’ information, AIs should establish control procedures covering: - an approval process for user requests for mobile computing; - authentication controls for remote access to n… (3.5.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • T26.6: For data transmission, the organization should use encryption and other required security controls to prevent personal identification numbers and passwords from becoming known. T29: The organization should encrypt important data to prevent it from being leaked via wiretapping. (T26.6, T29, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Banks should encrypt customer account and transaction data which is transmitted, transported, delivered or couriered to external parties or other locations, taking into account all intermediate junctures and transit points from source to destination. (Critical components of information security 15) ix., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Using encryption to protect communications between the access device and the institution and to protect sensitive data residing on the access device (Critical components of information security 25) iii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • As mobile devices are susceptible to theft and loss, the FI should ensure that there is adequate protection of sensitive or confidential information used for mobile online services and payments. The FI should have sensitive or confidential information encrypted to ensure the confidentiality and inte… (§ 12.2.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • For the purpose of exchanging confidential information between the FI and its external parties, the FI should take utmost care to preserve the confidentiality of all confidential information. For this purpose, the FI should at all times take appropriate measures including sending information through… (§ 9.1.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Encrypt or password protect attachments containing personal data that has a higher risk of adversely affecting the individual should it be compromised. The password should be communicated separately. For encryption, review the method of encryption (e.g. algorithm and key length) periodically to ensu… (Annex A1: Email Security 55, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Apply secure connection technologies or protocols when transmitting electronic personal data, such as over a computer network or from one network to another. (Annex A2: Computer Network Security 8, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The organization must use approved encryption methods for communicating sensitive information or classified information over public network infrastructure or infrastructure located in unsecured areas. (Control: 0157, Australian Government Information Security Manual: Controls)
  • The organization must ensure sensitive or classified fax messages are encrypted when they are communicated over an unsecured telecommunications infrastructure or a Public Switched Telephone Network. (Control: 0241, Australian Government Information Security Manual: Controls)
  • The organization must ensure sensitive traffic or classified traffic being sent over external telephone systems is encrypted. (Control: 0232 Bullet 2, Australian Government Information Security Manual: Controls)
  • Communications of sensitive information or classified information between web applications and database systems must be encrypted. (Control: 1277, Australian Government Information Security Manual: Controls)
  • The organization must enable Transport Layer Security encryption on e-mail servers that have incoming e-mail connections or outgoing e-mail connections over the public network infrastructure. (Control: 0572, Australian Government Information Security Manual: Controls)
  • The organization must use a DSD Approved Cryptographic Protocol encryption product to communicate sensitive information over the public network infrastructure. (Control: 1162, Australian Government Information Security Manual: Controls)
  • The organization must use a common criteria-evaluated encryption product with a Defence Signals Directorate cryptographic evaluation to communicate classified information over the public network infrastructure. (Control: 0465, Australian Government Information Security Manual: Controls)
  • The organization must use High Grade Cryptographic Equipment to communicate classified information over networks of a lower classification or the public network infrastructure. (Control: 0467, Australian Government Information Security Manual: Controls)
  • The organization must use a DSD Approved Cryptographic Algorithm, at a minimum, to protect Australian Eyes Only information and Australian Government Access Only information when it is in transit, in addition to encryption that is already implemented for communication mediums. (Control: 0469, Australian Government Information Security Manual: Controls)
  • The organization should protect Internet Protocol telephony signaling, video conferencing signaling, and the data to ensure integrity, confidentiality, authenticity, availability, and non-replayability. (Control: 0547, Australian Government Information Security Manual: Controls)
  • The organization must use an approved encryption methodology on mobile devices that communicate sensitive information or classified information over a public network infrastructure. (Control: 1085, Australian Government Information Security Manual: Controls)
  • The organization should use cryptographic techniques to control access to sensitive information and sensitive data in transit. (¶ 50, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement cryptographic techniques for transmitting critical data, critical information, sensitive data, and/or sensitive data in untrusted environments. (Attach F ¶ 1(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In APRA's view, cryptographic techniques would normally be used to control access to sensitive data/information, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data/information as well as other s… (¶ 50, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Att… (54., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • transmission and storage of critical and/or sensitive data in an 'untrusted' environment or where a higher degree of security is required; (Attachment E 1(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • encryption of data at rest and in transit (in accordance with the data classification). (3.4.4 36(f), Final Report EBA Guidelines on ICT and security risk management)
  • The recording of communications and related traffic data is authorized for lawful business practices for the purpose of providing proof of a transaction or any other business communications. (Art 5.2, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
  • Using strong encryption procedures (e. g. AES) and the use of secure network protocols that correspond to the state of the art (e. g. TLS, IPsec, SSH) (Section 5.8 KRY-01 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When personal data is used or processed automatically, the authorities or enterprises internal organization must be arranged to meet the specific requirements of data protection. Measures need to be taken for the type of personal data or data categories to be protected to ensure personal data cannot… (Annex, German Federal Data Protection Act, September 14, 1994)
  • Messages and identification data may be protected by any technical means that the subscribers and users wish to use. This protection must not interfere with the use of any communications or network service. (§ 6(1), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • App 2 ¶ 14.e: For IT systems that process and access restricted information, the system shall use commercial encryption devices to transmit or electronically access restricted information via a public network. For pressing business needs, restricted information may be transmitted in clear text for … (App 2 ¶ 14.e, App 6 ¶ 15.e, The Contractual process, Version 5.0 October 2010)
  • Use of strong cryptography for transmission of cardholder data (4.5, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Enable encryption for all broadcast transmissions (Encryption Mode 3). (4.4.3 G, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Use application-level (on top of the Bluetooth stack) authentication and encryption for sensitive data communication such as SSL. (4.4.3 J, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Use only strong security protocols, such as SSLv3. (4.5.1 A, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Call centers will need to ensure that transmission of cardholder data across public networks is encrypted. (Pg. 9 ¶ 1, Information Supplement: Protecting Telephone-based Payment Card Data, Version 2.0)
  • Verify the use of strong encryption (for example, Secure Sockets Layer and Transport Layer Security or Internet Protocol Security) wherever cardholder data is transmitted or received over open, public networks. (§ 4.1.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies. (§ 4.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Identify all locations where cardholder data is transmitted over open, public networks and examine the configurations to verify each location is using strong cryptography and security protocols for the transmissions. (Testing Procedures § 4.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Select and observe a sample of inbound transmissions and outbound transmissions to verify the cardholder data is encrypted during the transmission. (Testing Procedures § 4.1.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the system configurations for Secure Socket Layer and Transport Layer Security implementations to verify Secure Socket Layer and Transport Layer Security is enabled whenever cardholder data is transmitted or received. (Testing Procedures § 4.1.g, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Identify the wireless networks that transmit cardholder data or connected to a cardholder data environment and examine the configuration settings to verify that industry best practices are used to implement strong encryption for authentication and transmission. (Testing Procedures § 4.1.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Identify the wireless networks that transmit cardholder data or connected to a cardholder data environment and examine the configuration settings to verify that weak encryption is not used as a security control for authentication or transmission. (Testing Procedures § 4.1.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure sensitive cardholder data transmitted over public networks are safeguarded with the use of strong cryptography. (§ 4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Select a sample of transactions as they are received and observe transactions as they occur to verify the use of strong encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks. (§ 4.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that strong cryptography is used whenever cardholder data is sent via end-user messaging technologies. (§ 4.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify the use of security protocols wherever cardholder data is transmitted or received over open, public networks. (§ 4.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Select a sample of transactions as they are received and observe transactions as they occur to verify that the protocol is implemented to use only secure configurations, and does not support insecure versions or configurations. (§ 4.1.c Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Strong cryptography and security protocols that only accept trusted keys and certificates must be used to safeguard sensitive cardholder data during transmission over open, public networks. (PCI DSS Requirements § 4.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Strong cryptography where the encryption strength is appropriate for the encryption method must be used to safeguard sensitive cardholder data during transmission over open, public networks. (PCI DSS Requirements § 4.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Wireless networks that transmit cardholder data or connected to the cardholder data environment must use industry best practices for implementing strong encryption. (PCI DSS Requirements § 4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (8.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions o… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. (4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Encrypt transmission of cardholder data across open, public networks. (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Encrypt transmission of cardholder data across open, public networks. (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. (8.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: - Only trusted keys and certificates are accepted. - The protocol in use only supports secure versions or configurations. - The encryption st… (4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission. (4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Revision 1.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B and Attestation of Compliance, Verions 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? (4.1 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? (4.1 (e), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For service providers only: Is strong cryptography used to render all non-consumer customers’ authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components? (8.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? (4.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? (4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Encrypt transmission of cardholder data across open, public networks (Requirement 4:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.1)
  • Identify all locations where cardholder data is transmitted or received over open, public networks. Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations. (4.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Select and observe a sample of inbound and outbound transmissions as they occur (for example, by observing system processes or network traffic) to verify that all cardholder data is encrypted with strong cryptography during transit. (4.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment. Examine documented standards and compare to system configuration settings to verify the following for all wireless networks identified: - Industry best practices are used to implement strong … (4.1.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission. (8.2.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Additional testing procedure for service provider assessments only: Observe data transmissions to verify that non-consumer customer passwords are unreadable during transmission. (8.2.1.e, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage. (8.2.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • § 4.5.1.A SSLv3 is mandatory for traffic that carries cardholder data. § 4.5.1.B When possible, 256-bit encryption is preferred. (§ 4.5.1.A, § 4.5.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Security protocols, such as SSL, TLS, and IPSEC, and strong cryptography should be used to encrypt cardholder data during transmissions over open, public networks. Examples of open, public networks include the Internet, WiFi, global system for mobile communications (GSM), and general packet radio se… (§ 12.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? (PCI DSS Question 4.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization should have a secure process to submit authorization requests through the Internet. The organization should use encryption for transaction data transmissions. (Pg 18, Pg 19, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The security of instant messaging applications should be improved by using encryption to protect the contents of sensitive messages. (CF.15.02.03b, The Standard of Good Practice for Information Security)
  • Sensitive information in transit should be protected against unauthorized disclosure by using encryption (e.g., using secure sockets layer, Transport Layer Security, or equivalent). (CF.04.02.04a, The Standard of Good Practice for Information Security)
  • Information Systems and networks accessible by external connections should be designed to protect sensitive information stored on Information Systems and transmitted to external party locations (e.g., using encryption). (CF.09.03.02c, The Standard of Good Practice for Information Security)
  • The integrity of critical information should be protected by encrypting information when in transit. (CF.05.03.05a, The Standard of Good Practice for Information Security)
  • The security of instant messaging applications should be improved by using encryption to protect the contents of sensitive messages. (CF.15.02.03b, The Standard of Good Practice for Information Security, 2013)
  • Sensitive information in transit should be protected against unauthorized disclosure by using encryption (e.g., using secure sockets layer, Transport Layer Security, or equivalent). (CF.04.02.04a, The Standard of Good Practice for Information Security, 2013)
  • Information Systems and networks accessible by external connections should be designed to protect sensitive information stored on Information Systems and transmitted to external party locations (e.g., using encryption). (CF.09.03.02c, The Standard of Good Practice for Information Security, 2013)
  • The integrity of critical information should be protected by encrypting information when in transit. (CF.05.03.05a, The Standard of Good Practice for Information Security, 2013)
  • All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. (Control 14.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should use a secondary encryption channel for protocols that do not natively support strong encryption. (Critical Control 3.9, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system should encrypt information whenever the information flows over a network of lower trust level. (Critical Control 15.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should encrypt all sensitive information that is communicated over less secure networks. (Critical Control 15.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: - Perimeter firewalls implemented and configured to restrict unauthorized traffic - Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interf… (EKM-03, Cloud Controls Matrix, v3.0)
  • Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separa… (EKM-04, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established and mechanisms implemented for encrypting sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging). (IS-18, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Electronic commerce (e-commerce) related data traversing public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure or modification in such a manner to prevent contract dispute and compromise of data. (IS-28, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, 7.1)
  • Encrypt all sensitive information in transit. (CIS Control 14: Sub-Control 14.4 Encrypt All Sensitive Information in Transit, CIS Controls, 7.1)
  • Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. (CIS Control 16: Sub-Control 16.5 Encrypt Transmittal of Username and Authentication Credentials, CIS Controls, 7.1)
  • Use multi-factor authentication and encrypted channels for all administrative account access. (CIS Control 4: Sub-Control 4.5 Use Multifactor Authentication For All Administrative Access, CIS Controls, V7)
  • Encrypt all sensitive information in transit. (CIS Control 14: Sub-Control 14.4 Encrypt All Sensitive Information in Transit, CIS Controls, V7)
  • Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. (CIS Control 16: Sub-Control 16.5 Encrypt Transmittal of Username and Authentication Credentials, CIS Controls, V7)
  • ¶ 8.2.5(1) Cryptography. An organization should implement safeguards to assure cryptography procedures are in place. Cryptography is a mathematical means of transforming data to provide security. It can be used for many different purposes in IT security, for example, cryptography can help to provid… (¶ 8.2.5(1), ¶ 9.2 Table Row "Data Confidentiality Protection", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Data Confidentiality Over Networks. In circumstances where preservation of confidentiality is important, encryption safeguards should be considered to encrypt information passing over network connections. The decision to use encryption safeguards should take account of: • relevant government laws … (¶ 13.9, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Online transactions should be protected against misrouting, incomplete transmission, unauthorized disclosure, duplication, and message alteration. Organizations using online transactions should ensure that user credentials are verified; the communications path is encrypted; electronic signatures are… (§ 10.9.2, ISO 27002 Code of practice for information security management, 2005)
  • PII that is transmitted over public data-transmission networks should be encrypted prior to transmission. (§ A.10.6 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The organization should subject PII transmitted over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination. (§ 8.4.3 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization should subject PII transmitted (e.g sent to another organization) over a data-transmission network to appropriate controls designed to ensure that the data reaches its intended destination. (§ 7.4.9 Control, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control. (PR.DS-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Security Prin. and Criteria Table § 3.6, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Availability Prin. and Criteria Table § 3.9, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Processing Integrity Prin. and Criteria Table § 3.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Encryption is used to protect user authentication information and the corresponding session that is transmitted over the Internet or other public networks. (Confidentiality Prin. and Criteria Table § 3.12, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Personal information that is collected and transmitted over the Internet, wireless networks, and other public or nonsecure networks are protected with industry standard encryption technology. (Generally Accepted Privacy Principles and Criteria § 8.2.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy notice should describe general types of security measures the organization uses to protect personal information, such as encrypting personal information that is sent over the Internet. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should encrypt personal information that it collects and transmits over wireless networks. (Table Ref 8.2.5, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points. (CC6.7 Uses Encryption Technologies or Secure Communication Channels to Protect Data, Trust Services Criteria)
  • Protect by encryption or other appropriate means, all Nonpublic Information while being transmitted over an external network and all Nonpublic Information stored on a laptop computer or other portable computing or storage device or media; (Section 4.D ¶ 1(2)(d), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • encrypting data in motion, (e.g., encrypting email attachments containing customer information or other sensitive information), to reduce the risk of unauthorized interception; and (Information Security Program Bullet 3 Deployment of Protective Measures Against the Identified Threats and Vulnerabilities ¶ 1 Sub-bullet 14, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Is wireless networking technology encrypted using strong encryption (Wireless Fidelity Protected Access v2 or higher)? (§ G.12.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When scoped data is sent or received electronically or via physical media, is the data encrypted during transit while outside the network? (§ G.14.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When scoped data is sent or received electronically, is the data encrypted when it is sent via e-mail? (§ G.14.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that transmit scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are passwords encrypted in transit? (§ G.16.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are passwords encrypted in transit? (§ G.17.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are passwords encrypted in transit? (§ G.18.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, is transmission encrypted? (§ G.18.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are passwords encrypted in transit? (§ G.19.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, are passwords encrypted in transit? (§ G.20.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When encryption tools are managed and maintained for scoped data, are encryption keys encrypted when transmitted? (§ I.6.5, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • For cloud computing services, is scoped data encrypted when transiting to third party vendors? (§ V.1.11.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing application program interfaces, is scoped data encrypted in the Application Program Interface response? (§ V.1.39.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing application program interfaces, is scoped data encrypted in the Application Program Interface request? (§ V.1.39.7, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are passwords encrypted in transit? (§ V.1.72.17, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • § 4.3 ¶ 2: The organization shall not transport data that includes personally identifiable information from a CMS data center, unless it is encrypted. The encryption requirement may be waived with written approval from the data's business owner, followed by "wet" signatures by the CMS chief inform… (§ 4.3 ¶ 2, Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 7 ¶ 1: The organization must use technologies that let users prove who they say they are and encrypt data to avoid inappropriate disclosure or modification, so data can travel over the Internet safely and only be disclosed to authorized parties. The organization must implement encryption at a le… (§ 7 ¶ 1, § 7 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998)
  • S-MIME - Standard commercial implementations of encryption in the e-mail layer are acceptable. (ACCEPTABLE ENCRYPTION APPROACHES - SOFTWARE-BASED ENCRYPTION: 3., HIPAA HCFA Internet Security Policy, November 1998, Remapping)
  • HCFA Privacy Act-protected and/or other sensitive HCFA information sent over the Internet must be accessed only by authorized parties. Technologies that allow users to prove they are who they say they are (authentication or identification) and the organized scrambling of data (encryption) to avoid i… (§ 7 ¶ 1, HIPAA HCFA Internet Security Policy, November 1998, Remapping)
  • The organization must protect sensitive data that is transmitted electronically outside the secured network, from source to destination, using a FIPS-approved encryption standard and via secured communications. Cryptographic mechanisms must be used to recognize changes and to prevent unauthorized in… (CSR 10.4.5, CSR 10.10.1(4), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (§ III.C(1)(c), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • The organization must have controls in place to ensure there is reasonable assurance that transactions are recorded. (§ 103(a)(2)(A)(iii)(II)(bb), The Sarbanes-Oxley Act of 2002 (SOX))
  • The information assurance manager must ensure that Department of Defense sensitive data that is transiting non-department of defense networks or wireless networks is protected with a Federal Information Processing Standard 140-2 validated cryptographic module using a National Institute of Standards … (§ 3.4.2.1 ¶ AC34.065, DISA Access Control STIG, Version 2, Release 3)
  • The security administrator must configure the biometric system to encrypt and digitally sign all biometric reference data before transmitting it using Department of Defense-approved Public Key Infrastructure. (§ 4.6 ¶ BIO2009, DISA Access Control STIG, Version 2, Release 3)
  • The security administrator must configure the biometric system to encrypt transmissions from one device to another with National Institute of Standards and Technology Federal Information Processing Standard 140-2 validated cryptography. (§ 4.6 ¶ BIO2010, DISA Access Control STIG, Version 2, Release 3)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (SC.3.177, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (SC.3.185, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • National Security Agency-approved cryptography must be used to separately encrypt classified data that is transmitted through a network that is cleared at a lower level than the transmitted data. (ECCT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Information that must be separated from other information for need-to-know reasons, while it is in transit through a network at the same classification level, must be encrypted with National Institute of Standards and Technology-certified cryptography, at a minimum. (ECNK-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Source and Methods Intelligence information that must be separated from other information for need-to-know reasons, while it is in transit through a network at the same classification level, must be encrypted with National Security Agency-approved cryptography. (ECNK-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • § 170.210(c): To verify electronic health information has not been altered in transit, a hashing algorithm that has a security strength equal to or greater than SHA-1 must be used. § 170.302(v): Complete electronic health records (EHRs) or EHR modules must be capable of encrypting and decrypting e… (§ 170.210(c), § 170.302(v), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
  • Use of encryption and the transmission of sensitive/confidential information over the Internet—address agency policy, procedures, and technical contact for assistance. (§ 5.2.1.3 ¶ 1(9), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Prevent CJI from being transmitted unencrypted across the public network. (§ 5.10.1 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption. When encryption is employed, the cryptographic module used shall be FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to pro… (§ 5.10.1.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Verifiers shall use approved encryption and an authenticated protected channel when requesting passwords to protect against eavesdropping and Man-in-the-Middle (MitM) attacks. (§ 5.6.2.1.1.2 ¶ 1(8), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • CJI transmitted via a single or multi-function device over a standard telephone line is exempt from encryption requirements. CJI transmitted external to a physically secure location using a facsimile server, application or service which implements email-like technology, shall meet the encryption req… (§ 5.10.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 13, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • All wireless transactions should be encrypted. (Pg E-2, Obj 5.2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should implement internal controls for processing transactions. (Pg C-7, FFIEC IT Examination Handbook - Operations, July 2004)
  • Encrypted data transmission and storage. (App A Tier 2 Objectives and Procedures N.7 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service p… (App A Tier 2 Objectives and Procedures C.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess whether the institution encrypts telecommunications lines used to receive and transmit retail customer and financial institution counterparty data. If not encrypted, evaluate the compensating controls to secure retail payment data in transit. Assess whether any connecting technology service p… (Exam Tier II Obj 3.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Encryption should be used to protect data and prevent unauthorized access throughout the transfer system. (Pg 20, Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Stores and transmits only encrypted representations of passwords; (IA-5(1)(c) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The IRS's Secure Data Transfer program must be used when Federal Tax Information is transmitted between the IRS and the receiving agency. The system must protect the integrity of all transmitted information. (§ 2.3, Exhibit 4 SC-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is the information for correspondence or transactions on the website that takes place between the Credit Union and its members adequately secured? (IT - General Q 44, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the Credit Union implemented the encryption of electronic member information that is in transit? (IT - 748 Compliance Q 6c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is sensitive data encrypted when it is transmitted or received over the Internet and over the Credit Union's network during member sessions? (IT - Security Program Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The verifier SHALL use approved encryption and an authenticated protected channel when requesting memorized secrets in order to provide resistance to eavesdropping and MitM attacks. (5.1.1.2 ¶ 12, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Protocols requiring the transfer of keying information SHALL use a secure method during the registration process to exchange keying information needed to operate the federated relationship, including any shared secrets or public keys. Any symmetric keys used in this relationship SHALL be unique to a… (5.1.1 ¶ 4, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Protocols requiring the transfer of keying information SHALL use a secure method during the registration process to establish such keying information needed to operate the federated relationship, including any shared secrets or public keys. Any symmetric keys used in this relationship SHALL be uniqu… (5.1.2 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • All communications involved in the administration and network management of WLAN equipment, such as access points and authentication servers, should use strong authentication and encryption. An IPsec connection should be established between each access point and its associated authentication server. (Table 8-1 Item 6, Table 8-4 Item 41, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Data-in-transit is protected (PR.DS-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Data-in-transit is protected. (PR.DS-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure the integrity of transmitted information is protected; integrity protection mechanisms are in place; cryptographic mechanisms are being used to recognize information changes during transmission, unless the system is protected by alter… (SC-8, SC-8(1), SC-8.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Sensitive data communications should use application-level authentication and encryption. (Table 4-2 Item 20, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Data in transit should be protected by authentication and encryption. The authentication and encryption features available on the handheld device should be enabled as the default setting. (§ 4.1.4, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Data-in-transit are protected. (PR.DS-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization may protect the confidentiality of Personally Identifiable Information that is electronically transmitted by encrypting the communications or encrypting the information before transmitting it. (§ 4.3 Bullet Transmission Confidentiality (SC-9), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The smart grid Information System must protect the communicated information's confidentiality. (SG.SC-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. (3.13.11, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. (3.13.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must protect the integrity of transmitted information. (App F § SC-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use cryptographic security for information transmission unless protected with physical measures. (App F § SC-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4, Remapping)
  • Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4, Remapping)
  • Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4, Remapping)
  • The information system protects the {confidentiality} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system protects the {integrity} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system protects the {integrity} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system protects the {confidentiality} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system protects the {confidentiality} of transmitted information. (SC-8 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system protects the {integrity} of transmitted information. (SC-8, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Stores and transmits only cryptographically-protected passwords; (IA-5(1)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4, Remapping)
  • All banking information should be sent over an encrypted line that is, at a minimum, equivalent to 128-bit RC4 technology. (Network Security Amendment, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; (§ III. C. 1.(c), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The organization must have controls in place to ensure there is reasonable assurance that transactions are recorded. (§ 240.15d-15(f)(2), 17 CFR Part 240.15d-15, Controls and Procedures)
  • Require an individual to transmit his or her social security number over the internet, unless the connection is secure or the social security number is encrypted; (6-1-715 (1)(c), Colorado Revised Statutes, Title 6, Consumer and Commercial Affairs, Fair Trade and Restraint of Trade, Article 1, Colorado Consumer Protection Act)
  • encryption of all personal information while being transmitted on a public Internet network or wirelessly, (§ 38a-999b(b)(2)(B)(iii), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • protecting by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media; (38-99-20 (D)(2)(d), South Carolina Code of Laws, Title 38, Chapter 99 Insurance Data Security Act, Section 38-99-10 - 38-99-100)
  • Be required to be transmitted over the Internet, unless the Internet connection used is secure or the social security number is encrypted; (§ 47-18-2110(a)(2), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)