Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?
Explanation
Cryptographic controls such as encryption, digital signatures, and cryptographic hashes are essential for protecting sensitive data during transmission across networks.
Encryption ensures that data cannot be read if intercepted, digital signatures verify the authenticity of the sender, and cryptographic hashes confirm that data hasn't been altered during transmission.
These controls are particularly important for communications containing sensitive information, remote access connections, and public-facing web applications.
Evidence could include a cryptographic controls policy document, network architecture diagrams showing where encryption is implemented, configuration screenshots of TLS/SSL settings on web servers, VPN configuration details, or results from network scanning tools that verify the use of secure protocols and cipher suites.
Implementation Example
Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications
ID: PR.DS-02.228
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-in-transit are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?

