Control 5.14 : Information Transfer

Summary

Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties. This ensures the protection of information while in transit.

Applicability

In-Scope: Mandatory for organizations that share data with clients, vendors, or partners. It is critical for preventing data interception and ensuring compliance with privacy laws regarding the movement of personal data.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Secure Sharing: Configure SharePoint and OneDrive external sharing settings to require authenticated access and prevent anonymous links for sensitive data.

• Encryption: Use Microsoft Purview Message Encryption (OME) to ensure that sensitive emails sent outside the organization can only be read by the intended recipient.

• Governance: Implement Data Loss Prevention (DLP) rules to block the transfer of highly confidential information via unapproved channels like personal webmail or USB.

Evidence Checklist

• Transfer Policies: Documented rules for the secure transfer of information, including approved tools and encryption requirements.

• Transfer Agreements: Contracts or NDAs with third parties that specify security requirements for data exchange.

• Transmission Logs: Audit logs showing that sensitive transfers were conducted using approved, encrypted methods.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you verify that the recipient of a sensitive transfer is who they claim to be before the data is sent?

• What technical controls are in place to prevent employees from using unauthorized services for large file transfers?

• Can you demonstrate that information is encrypted while in transit across public networks?

• How does the organization ensure the integrity of the data being transferred to prevent tampering during the process?