Does your organization automatically encrypt or block outbound communications containing sensitive data based on data classification?
Explanation
This control ensures that sensitive information is protected when transmitted outside the organization by either encrypting it to maintain confidentiality or blocking its transmission entirely when appropriate. The system should be able to identify sensitive content based on established data classification policies and automatically apply the appropriate protection mechanism without requiring manual intervention.
Evidence could include screenshots of DLP (Data Loss Prevention) system configurations, email gateway settings showing encryption/blocking rules, data classification policies tied to automated controls, and logs demonstrating the system in action when sensitive data is detected in outbound communications.
Implementation Example
Automatically encrypt or block outbound emails and other communications that contain sensitive data, depending on the data classification
ID: PR.DS-02.229
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-in-transit are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

