Skip to content
AuditFront
CC6.7 SOC 2

SOC 2 CC6.7: Logical and Physical Access - Transmission of Data

What This Control Requires

The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives.

In Plain Language

Data is most vulnerable when it's moving. Whether it's crossing the internet, being copied to a USB drive, or getting emailed to a partner, data in transit leaves the relative safety of your controlled environment. CC6.7 is about making sure it stays protected throughout.

This covers encryption of data in transit across all channels, controls over how data moves (email, file sharing, APIs, removable media), data loss prevention measures, and policies governing what can be sent where. The goal is to prevent unauthorised access during movement and ensure transfers are both authorised and tracked.

Auditors will check that you encrypt data in transit with current protocols, that transfer mechanisms are controlled and monitored, that you have policies governing data movement, and that sensitive data isn't leaking through unauthorised channels.

How to Implement

Encrypt all data in transit. Enforce TLS 1.2 or higher for web traffic, API communications, and email. Use IPsec or equivalent for site-to-site VPN connections. Encrypt internal network communications that involve sensitive data too. Disable deprecated protocols (SSL, TLS 1.0, TLS 1.1) entirely.

Create a data transfer policy that defines approved methods for moving data internally and externally. Classify transfer methods by the sensitivity of data they can carry. Highly sensitive data should only move through encrypted, access-controlled channels. General business data can use standard corporate email.

Deploy data loss prevention (DLP) controls at network egress points, on endpoints, and within cloud applications. Configure rules to catch sensitive data patterns - PII, financial data, intellectual property - leaving through unauthorised channels.

Restrict removable media. Set policies and technical controls limiting USB drives, external hard drives, and similar media. Where removable media is genuinely needed, enforce encryption and logging. Consider disabling USB storage access on endpoints that don't need it.

Provide approved enterprise file sharing solutions (SharePoint, Google Drive, Dropbox Business, etc.) with proper access controls, audit logging, and encryption. Block or monitor unauthorised file sharing services. Put expiration dates and access controls on shared links.

Monitor data transfer activity. Track large transfers, transfers to external destinations, and unusual channels. Set up alerts for anomalous data movement that could indicate exfiltration. Review transfer logs and DLP alerts regularly.

Evidence Your Auditor Will Request

  • Encryption standards and evidence that TLS 1.2+ is enforced for all data in transit
  • Data transfer policy specifying approved methods and channels for data movement
  • DLP configuration and alert review records showing monitoring of unauthorized data transfers
  • Removable media policy and technical enforcement evidence (USB controls, encryption requirements)
  • File sharing solution configurations with access controls, logging, and approved service list

Common Mistakes

  • Legacy systems or integrations still use deprecated encryption protocols (SSL, TLS 1.0/1.1)
  • No data loss prevention controls, allowing sensitive data to leave the organization undetected
  • Removable media usage is unrestricted, enabling unmonitored data removal
  • Employees use personal file sharing services for business data without organizational oversight
  • Data transfers to third parties are not encrypted or are sent through insecure channels like unencrypted email

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.8.24 Equivalent
ISO 27001 A.5.14 Related
ISO 27001 A.8.12 Related
nist-csf PR.DS-02 Equivalent

Frequently Asked Questions

Is TLS 1.2 sufficient, or should we require TLS 1.3?
TLS 1.2 with strong cipher suites is perfectly fine for SOC 2. TLS 1.3 is better in terms of security and performance, and you should enable it where possible, but requiring it everywhere may break compatibility with older clients. Best practice: support both 1.2 and 1.3, and disable everything below 1.2.
How do we handle data transfers to international locations?
Cross-border data transfers bring in regulations like GDPR, which require specific legal mechanisms. You'll need data transfer agreements, standard contractual clauses, or reliance on adequacy decisions as appropriate. Make sure all international transfers are encrypted and that your data transfer policy explicitly addresses cross-border requirements.
Do we need enterprise DLP tools?
Not necessarily. Smaller organisations can start with the built-in DLP capabilities in their email platform (Microsoft 365 DLP, Google Workspace DLP), a cloud access security broker, or endpoint security solutions. The point is having some mechanism to detect and block unauthorised transfers of sensitive data. You can scale up to a full enterprise DLP tool as you grow.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment