What is the Encryption in transit control?
Strike Graph's default control language is: "Any sensitive data that is transmitted over public networks, and data in transit is encrypted."
How do I perform this control, what are auditors looking for?
The type of evidence that auditors will accept for this control is extremely varied. If your company is hosting a web application, some evidence that responses to end users are sent via HTTPS is usually an easy way to demonstrate this control. You can also provide evidence that TLS encryption is used, this can be a screenshot of a server configuration, or of the actual encryption certificates used.
If your company does not host a product or platform itself, but it still has customers regularly sending and receiving information, then provide encryption configurations or evidence for the actual method that you are communicating with customers. Generally, auditors take a risk-based approach, this means they are concerned with your production environment, or wherever most customer information is exchanged, so those are the areas where you should focus on pulling evidence from.
If your company truly does not host an application or platform then this control may not be applicable. If you suspect that this control is not applicable to your organization, reach out to your CSM.
This control has several different linked evidence items, only Encryption in Transit, Server Encryption and Encryption Certificates need to be satisfied for a SOC 2 audit.
Encryption in Transit
Show that your platform or service encrypts data in transit using TLS
Server Encryption
Show that your production VMs or servers are configured to use HTTPS
Encryption Certificates
Show screenshots of the certificates used for your production environment or application
โ