Overview:
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.
Action Items:
1) Create an encryption and cryptography policy and related procedures that outline approved encryption mechanisms and tools implemented within the organization. Then, publish this on the company intranet for employees to access and review.
2) Create a mobile device management policy and related procedures and publish on the company intranet for employees to access and review.
3) Create a key management policy and procedures and publish to the company intranet for employees to access and review. Alternatively, this is often a sub-section in the encryption and cryptography policy, however it should encompass key generation, distribution, destruction, storage locations, protection mechanisms, key rotation schedules, and key custodians, at a minimum.
4) Create a data classification and handling policy and related procedures and publish to the company intranet for employees to access and review.
5) Inquire of the senior manager of compliance and director of security and engineering operations, or equivalent, to determine that access to the encryption keys is restricted to authorized personnel.
6) Inspect the TLS certificates for the in-scope web servers to determine that web servers utilize TLS encryption for web communication sessions.
7) Inspect the VPN encryption and authentication configurations to determine that an encrypted VPN is required for remote access to production and enforces two-factor authentication.
8) Inspect the management tools to determine that device management tools are configured to manage and encrypt employee workstations and mobile devices.
9) Inspect the encryption configurations of the confidential data, to determine that confidential data is stored in an encrypted format and that access to the encryption keys is restricted to authorized personnel.
10) Inspect handling policies to determine that documented policies and procedures are in place to guide personnel in the handling and encryption of stored data.
Related Documents:
1) encryption and cryptography policy
2) Mobile device management (MDM) policy
3) Key management policy
4) TLS certificates for in-scope web servers
5) VPN encryption and authentication configurations
6) Configurations for device management tools
7) Encryption configurations for stored sensitive data
8) Data classification and handling policy
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Restricts the Ability to Perform Transmission—Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information.
2) Uses Encryption Technologies or Secure Communication Channels to Protect Data—Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points.
3) Protects Removal Media—Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate.
4) Protects Mobile Devices—Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets.
Article ID: 239
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-protecting-information-in-transmission-movement-and-removal-cc6-7-239.html