DSP-10: Sensitive Data Transfer

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: EKM-03: Sensitive Data Protection, GRM-02: Data Focus Risk Assessments.

Control Statement

Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.

Implementation Guidance

When defining processes, procedures, and technical measures for data transfer, consider data transfer within the organization and externally. Personal data transfer in transit must be protected by strong encryption or similar techniques to prevent unauthorized access by eavesdropping or data transfer interception.

Auditing Guidance

  1. Examine the organization's procedures and technical requirements for the secure and lawful transfer of personal data and sensitive data. Establish that this process and key controls comply with the organization's data privacy and security policy.
  2. Establish whether the organization has documented the roles and responsibilities for this process.
  3. Select a range of personal data transfers and a range of sensitive data transfers to confirm that each transfer adhered to the organization's policy, procedures, and controls. Confirm that all relevant evidence was formally documented.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.