🔐 10. Data Encryption & Transfer Controls
🧭 Planning:
As part of a security audit, reviewed encryption and data transfer mechanisms used for transmitting and storing sensitive or regulated information (e.g., personal data, financial records, internal communications). The review focused on compliance with internal security policies and external standards such as ISO/IEC 27001 and NIST SC-12/SC-13.
🎯 Objectives:
-
Confirm encryption is applied to data in transit and at rest
-
Evaluate secure protocols for file transfers and communications
-
Identify use of legacy or insecure encryption algorithms
-
Validate access restrictions to encryption keys and tools
📌 Procedures:
-
Reviewed SSL/TLS configurations for web-facing applications
-
Sampled encryption settings on file storage systems and databases
-
Examined use of SFTP/FTPS vs. unencrypted protocols
-
Assessed key management practices, including rotation and storage
-
Verified compliance with internal data classification policy
📑 Working Papers:
-
WP-ITGC-ENC001: Data encryption and transmission controls assessment
-
Screenshots of encryption settings, transfer logs, key inventory
📊 Findings:
-
❗ One internal API endpoint used HTTP instead of HTTPS
-
❗ Files containing sensitive PII were being transferred via unsecured email in two instances
-
⚠️ No documented encryption key rotation schedule
-
⚠️ Data at rest on one legacy system was stored without encryption
🧰 Tools Used:
Network scanner (Nessus), file transfer logs, system config snapshots, encryption key vault review, Excel
✅ Recommendations:
-
Enforce HTTPS on all application interfaces, including internal APIs
-
Mandate the use of secure file transfer protocols (e.g., SFTP, FTPS)
-
Encrypt all sensitive data at rest using AES-256 or equivalent standard
-
Implement and document an encryption key rotation and lifecycle policy
-
Train users on proper secure data transfer procedures and risks
