11) Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?
Answer yes if all data transfers to and from your organisation are approved by relevant parties and secured with an appropriate level of authentication and encryption (such as HTTPS for web traffic including APIs and SFTP for file transfers). Please describe the nature of these controls in the notes section, both technical and procedural.
Data transfers are often a necessary part of providing a service or operating your business, however, if not managed correctly they can create an opportunity for attackers to steal or modify the data.
Data transfers should be secured from both a technical perspective and protected with appropriate governance or authorisation procedures.
As mentioned in previous articles, any communication over a network that is not encrypted can typically be read in transit. The best defence for transferring data over untrusted networks (and even over internal or otherwise trusted networks, as it can add an additional layer of security) is to encrypt the communication.
While internet protocols such as FTP (File Transfer Protocol) and HTTP (Hyper Text Transfer Protocol) were historically unencrypted before the need for secure transmission was understood, there are now versions of virtually all these protocols (such as SFTP and HTTPS, where the S stands for Secure) that feature encryption.
Most of these protocols work by encrypting an entire communication session where the data carried by each network packet is encrypted (as opposed to the original file). Therefore, an unencrypted file arrives at its destination in its original unencrypted form, but every network packet over which it was broken down and transmitted was encrypted, securing it in transit.
To ensure only authorised transfers take place, you may design governance procedures as part of your information security policies which require explicit authorisation before a data transfer takes place if it meets certain criteria, such as:
- if the data transfer is over a certain size,
- if the data transfer contains confidential or personal data,
- if the data transfer includes client data,
- if the data transfer could impact a critical service,
- where the origin of the data transfer is from a protected system.
You may also include technical controls to detect or prevent unauthorised transfers as described in control D38.
How to implement the control
Ensure your network security policy dictates that all network data transfers be reviewed and authorised where required and performed over secure protocols. The use of unencrypted protocols should be disallowed. Where, for legacy or other reasons, an encrypted protocol is not available you should, by exception, implement dedicated secure point-to-point tunnels or VPNs to protect the connection.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture and governance procedures in a way that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
