Content library
SOC 2 (Systems and Organization Controls)
CC6.7: Restriction and protection of information in transmission, movement or removal

Requirement description

The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives.

Points of focus:

- Restricts the Ability to Perform Transmission
- Uses Encryption Technologies or Secure Communication Channels to Protect Data
- Protects Removal Media
- Protects Mobile Devices

How to fill the requirement

SOC 2 (Systems and Organization Controls)

CC6.7: Restriction and protection of information in transmission, movement or removal

Task name
Priority
Status
Theme
Policy
Other requirements
Safe disposal of laptops
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
13
requirements

Examples of other requirements this task affects

8.3.2: Disposal of media
ISO 27001
11.2.7: Secure disposal or re-use of equipment
ISO 27001
PR.DS-3: Asset management
NIST
TEK-21: Sähköisessä muodossa olevien tietojen tuhoaminen
Julkri
7.10: Storage media
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Safe disposal of laptops
1. Task description

The organization has defined procedures for the safe disposal of laptops that are no longer required.

Process for theft / disappearance of mobile equipment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
7
requirements

Examples of other requirements this task affects

6.2.1: Mobile device policy
ISO 27001
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Omavalvontasuunnitelma
8.1: User endpoint devices
ISO 27001
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
4.11: Enforce Remote Wipe Capability on Portable End-User Devices
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Process for theft / disappearance of mobile equipment
1. Task description

Procedures have been established for the theft or loss of mobile devices.

The user may be required to e.g.:

  • change network access codes
  • report the situation to the IT department (and, if necessary, to the police or mobile access provider)
  • change any other credentials that may have been compromised

The organizational process in the event of a device loss may include e.g. clearing the device (at least the contents of the organization) remotely.

Encryption of laptops
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
21
requirements

Examples of other requirements this task affects

Članak 30.1.h: Kriptografije
NIS2 Croatia
9.8 §: Salaus
Kyberturvallisuuslaki
3.1.4: Management of IT and mobile data storage devices
TISAX
30 § 3.8°: La cryptographie et du chiffrement
NIS2 Belgium
2.7.3: Encrypt storage media which contain confidential data and which can easily be lost or compromised
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Encryption of laptops
1. Task description

Laptops are protected by full-disk encryption.

Acquisition and instructions for a VPN-service
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Remote work
14
requirements

Examples of other requirements this task affects

9.1.2: Access to networks and network services
ISO 27001
6.2.2: Teleworking
ISO 27001
14.1.2: Securing application services on public networks
ISO 27001
TEK-18.1: Etäkäyttö - tietojen ja tietoliikenteen salaaminen
Julkri
6.7: Remote working
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Acquisition and instructions for a VPN-service
1. Task description

Organisation's data can only be processed on a predefined, trusted network, or by using a VPN service defined by the organisation.

For example, a coffee shop's Wi-Fi network is often either completely unencrypted or the password is easily accessible to everyone. In this case, the information sent online is vulnerable to spyware. A VPN connection encrypts information regardless of network settings.

Process for secure disposal of removable media containing confidential information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
15
requirements

Examples of other requirements this task affects

8.3.2: Disposal of media
ISO 27001
A.11.7: Secure disposal of hardcopy materials
ISO 27018
11.2.7: Secure disposal or re-use of equipment
ISO 27001
PR.DS-3: Asset management
NIST
PR.IP-6: Data destruction
NIST
See all related requirements and other information from tasks own page.
Go to >
Process for secure disposal of removable media containing confidential information
1. Task description

Unnecessary media should be disposed of in a safe, industry-accepted manner (such as by incineration, shredding or wiping) in accordance with formal procedures. Media that requires safe disposal must be clearly marked.

Data destroyed in accordance with the process should not be recoverable, even by forensic means.

Encryption of portable media
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Technical cyber security
Encryption
23
requirements

Examples of other requirements this task affects

Članak 30.1.h: Kriptografije
NIS2 Croatia
9.8 §: Salaus
Kyberturvallisuuslaki
2.7.3: Encrypt storage media which contain confidential data and which can easily be lost or compromised
NSM ICT-SP
PR.PT-2: Removable media is protected, and its use restricted according to policy.
CyberFundamentals
PR.PT-2: Removable media
NIST
See all related requirements and other information from tasks own page.
Go to >
Encryption of portable media
1. Task description

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

Encryption of public network traffic for application services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Secure development
14
requirements

Examples of other requirements this task affects

13.2.3: Electronic messaging
ISO 27001
14.1.2: Securing application services on public networks
ISO 27001
14.1.3: Protecting application services transactions
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
A.11.6: Encryption of PII transmitted over public data-transmission networks
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Encryption of public network traffic for application services
1. Task description

Information included in application services transmitted over public networks must be protected against fraudulent and non-contractual activity and against unauthorized disclosure and alteration.

We use strong encryption and security protocols (eg TLS, IPSEC, SSH) to protect confidential information when it is transmitted over public networks in connection with the IT services we develop.

Using a mobile device management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
11
requirements

Examples of other requirements this task affects

6.2.1: Mobile device policy
ISO 27001
8.1: User endpoint devices
ISO 27001
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
3.1.4: Management of IT and mobile data storage devices
TISAX
DE.CM-5: Unauthorized mobile code is detected.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Using a mobile device management system
1. Task description

Mobile Device Management (MDM) helps secure and manage staff mobile devices, whether they are iPhones, iPads, Android devices, or Windows devices. E.g. a Microsoft 365 subscription includes the basics of mobile device management.

Mobile device management system can be used to e.g. configure device security policies, wipe remotely and get accurate device usage reporting.

Mobile device security policies and their monitoring
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Remote work and mobile devices
Mobile device management
8
requirements

Examples of other requirements this task affects

6.2.1: Mobile device policy
ISO 27001
8.1: User endpoint devices
ISO 27001
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
6.10: Työasemien, mobiililaitteiden ja käyttöympäristön tukipalveluiden hallinta
Tietoturvasuunnitelma
3.1.4: Management of IT and mobile data storage devices
TISAX
See all related requirements and other information from tasks own page.
Go to >
Mobile device security policies and their monitoring
1. Task description

The security policies defined in the mobile device management system aim to protect the organization’s data. For example, to reduce the risk of losing devices, you can specify that the device be locked after 5 minutes of inactivity or that the device be completely wiped after 3 failed login attempts.

It may make sense to test new policies first with a small group of users. Policies also require oversight. You can initially select a setting for policies that informs the administrator of settings that violate the policy, but does not completely block access.

Securing the physical transport of data, devices and media
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
6
requirements

Examples of other requirements this task affects

8.3.3: Physical media transfer
ISO 27001
7.10: Storage media
ISO 27001
CC6.7: Restriction and protection of information in transmission, movement or removal
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Securing the physical transport of data, devices and media
1. Task description

When information is sent, for example, by postal, courier or transport services, paper documents or data media may be exposed to unauthorized use, misuse or distortion during transport.

To ensure safe transportation, the organization has defined procedures for:

  • selection and documentation of reliable transport services
  • verifying the identity of transport staff
  • ensuring safe packaging
  • documentation of made transports
Detailed rules for the management of removable media
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
13
requirements

Examples of other requirements this task affects

8.3.1: Management of removable media
ISO 27001
8.3.3: Physical media transfer
ISO 27001
A.11.4: Protecting data on storage media leaving the premises
ISO 27018
13.2.1: Information transfer policies and procedures
ISO 27001
13: Communications security
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Detailed rules for the management of removable media
1. Task description

When removable media is an important part of an organisation's operations, more specific rules have been defined for securing removable media and the information they contain.

  • when a removable media is transferred outside the organization, it is impossible to restore its contents if the content is no longer needed;
  • the transfer of media from the organization required a permiossion and all transfers will be logged
  • removable media are protected by encryption when the confidentiality and integrity of the information is important
  • information on removable media is regularly passed on to unused media so that the media does not deteriorate and the data becomes unreadable before that time;
  • multiple copies of valuable data are stored on different media to reduce the risk of simultaneous data damage or loss

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.