DATA-02

Is the transport of sensitive data encrypted using security protocols/algorithms (e.g., system-to-client)?

Explanation

This question is asking whether your organization encrypts sensitive data when it's being transmitted between systems (like from your servers to a client's web browser or mobile app). In technical terms, this refers to 'data in transit' encryption, which protects information as it moves across networks. Without encryption, data could potentially be intercepted and read by unauthorized parties in what's known as a 'man-in-the-middle' attack. The question specifically mentions 'security protocols/algorithms' which refers to encryption standards like TLS (Transport Layer Security), SSH (Secure Shell), or HTTPS (HTTP Secure) that are used to create encrypted connections. This question is being asked in a security assessment because protecting sensitive data during transmission is a fundamental security practice and is required by many compliance frameworks (like HIPAA, PCI DSS, GDPR). Assessors want to verify that you have appropriate safeguards to prevent unauthorized access to data while it's being transmitted. When answering, you should: 1. Clearly state whether you do encrypt sensitive data in transit 2. Specify which encryption protocols you use (e.g., TLS 1.2/1.3, HTTPS) 3. Mention if this applies to all systems or if there are exceptions 4. Note any relevant policies that govern this practice 5. Include information about how you enforce or verify this encryption

Example Responses

Example Response 1

Yes, all sensitive data transported between our systems and clients is encrypted using industry-standard protocols We enforce TLS 1.2 or higher for all web traffic using HTTPS, with modern cipher suites that meet NIST guidelines Our API endpoints only accept encrypted connections, and we regularly scan and test our TLS configurations using tools like SSL Labs For file transfers, we use SFTP with key-based authentication Our security policy mandates encryption for all sensitive data in transit, and we validate compliance through regular security assessments and continuous monitoring.

Example Response 2

Yes, we encrypt all sensitive data during transport using multiple security protocols For web-based access, we implement HTTPS with TLS 1.3 across all our applications and services Our mobile applications use certificate pinning to prevent man-in-the-middle attacks For internal system-to-system communications, we use mutual TLS authentication to ensure both endpoints are verified Database connections utilize TLS encryption with strong cipher suites We maintain a formal encryption standard that defines minimum requirements, and we conduct quarterly reviews of our encryption implementations to ensure they remain current with industry best practices.

Example Response 3

No, we currently do not encrypt all sensitive data during transport While our primary web application uses HTTPS for customer-facing interfaces, some of our internal system-to-system communications still use unencrypted protocols for legacy reasons We recognize this as a security gap and have developed a remediation plan to implement TLS 1.2+ encryption across all communication channels by the end of Q3 this year In the interim, we've implemented compensating controls including network segmentation and strict access controls to minimize risk Our security roadmap prioritizes completing this encryption initiative as a critical objective.

Context

Tab: Product
Category: Data