SC-8 - Transmission Confidentiality and Integrity

Control requirements

SC-8 - 0

The information system protects the [IBM Assignment: confidentiality, integrity, AND availability] of transmitted information.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Connecting application provider to the management VPC
• Consumer connectivity to workload VPC
• Creating and connecting the management and workload VPCs
• Data encryption in transit
• Working with Red Hat OpenShift on IBM Cloud

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

• Check whether App ID email dispatchers are using HTTPS only
• Check whether Cloud Object Storage is accessible only through HTTPS
• Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
• Check whether App ID webhooks are using HTTPS only
• Check whether App ID redirect URIs are using HTTPS only
• Check whether Cloud Internet Services (CIS) has TLS mode set to End-to-End CA signed
• Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
• Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP

NIST supplemental guidance

This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.