DS-04 Data Security & Protection

Encryption in Transit

Data on the wire is protected.

Domain: Data Security & Protection
Control type: Preventive
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS TRM – Data

What good looks like

Data in transit encrypted with TLS 1.2+ externally and for sensitive internal traffic.

Risk if it fails

Interception/tampering in transit.

How Tess tests it

3 tests — each concludes only on cited evidence.

TLS standard (1.2+) defined

Design

Procedure: Inspect the standard.
Expected: Minimum TLS version set.
Sample: 1 (design inspection)
Evidence: TLS scan, load-balancer/endpoint config.

External endpoints enforce TLS 1.2+

Operating

Procedure: Scan/inspect endpoints.
Expected: No deprecated protocols/ciphers.
Sample: 25 (or full config inspection)
Evidence: TLS scan, load-balancer/endpoint config.

Sensitive internal traffic encrypted

Operating

Procedure: Inspect internal traffic config.
Expected: Encrypted in transit.
Sample: 25 (or full config inspection)
Evidence: TLS scan, load-balancer/endpoint config.

Evidence Tess looks for

TLS scan, load-balancer/endpoint config.

More in Data Security & Protection

DS-01 Data Classification & Handling DS-02 Network Security / Firewall DS-03 Encryption at Rest DS-05 Cryptographic Key Management

Want Tess to test DS-04 against your evidence?