Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.
Data transfers are often a necessary part of providing a service or operating your business, however, if not managed correctly they can create an opportunity for attackers to steal or modify the data.
Data transfers should be secured from both a technical perspective and protected with appropriate governance or authorisation procedures.
As mentioned in previous articles, any communication over a network that is not encrypted can typically be read in transit. The best defence for transferring data over untrusted networks (and even over internal or otherwise trusted networks, as it can add an additional layer of security) is to encrypt the communication.
While internet protocols such as FTP (File Transfer Protocol) and HTTP (Hyper Text Transfer Protocol) were historically unencrypted before the need for secure transmission was understood, there are now versions of virtually all these protocols (such as SFTP and HTTPS, where the S stands for Secure) that feature encryption.
Most of these protocols work by encrypting an entire communication session where the data carried by each network packet is encrypted (as opposed to the original file). Therefore, an unencrypted file arrives at its destination in its original unencrypted form, but every network packet over which it was broken down and transmitted was encrypted, securing it in transit.
To ensure only authorised transfers take place, you may design governance procedures as part of your information security policies which require explicit authorisation before a data transfer takes place if it meets certain criteria, such as:
You may also include technical controls to detect or prevent unauthorised transfers as described in control D38.
Ensure your network security policy dictates that all network data transfers be reviewed and authorised where required and performed over secure protocols. The use of unencrypted protocols should be disallowed. Where, for legacy or other reasons, an encrypted protocol is not available you should, by exception, implement dedicated secure point-to-point tunnels or VPNs to protect the connection.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture and governance procedures in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.