Procedures, protocols and tools to protect information in transit

Procedures, protocols and tools to protect information in transit

Purpose and Scope

Financial entities must develop, document, and implement policies, procedures, protocols and tools designed to preserve the availability, authenticity, integrity and confidentiality of data in transit.
These measures form part of the safeguards required under the ICT risk management framework.

The requirements apply to all data transmitted:

  • across internal networks,
  • over organisational, public, domestic, third-party or wireless networks,
  • to and from external parties.

Mandatory Elements of the Information-in-Transit Protection Framework

Ensuring Availability, Authenticity, Integrity and Confidentiality During Network Transmission

The procedures, protocols and tools must ensure:

  • Availability of data in transit
  • Authenticity of data sources and communication endpoints
  • Integrity of data, ensuring it is not altered, destroyed, corrupted or manipulated during transmission
  • Confidentiality of data against eavesdropping, interception or unauthorised disclosure

Entities must also establish procedures to assess compliance with these requirements, which must be:

  • formally defined,
  • repeatable,
  • documented, and
  • integrated into existing ICT risk management processes.

Prevention and Detection of Data Leakages & Secure Transfers

The policies must include measures that:

  • Prevent data leakages, covering:
    • accidental transmission,
    • unauthorised exfiltration,
    • interception risks,
    • man-in-the-middle and replay attacks.
  • Detect data leakages, requiring:
    • monitoring of transmission channels,
    • alerts on anomalies or unauthorised flows,
    • logging and analysis of transmission-related security events.
  • Ensure secure transfer of information between:
    • the financial entity and external parties,
    • third-party service providers,
    • remote staff, branches, affiliates, or outsourced environments.

Secure transfer mechanisms must follow the requirements emerging from the approved data classification and ICT risk assessment.

Confidentiality and Non-Disclosure Requirements

The framework must ensure that:

  • confidentiality or non-disclosure arrangements—
    reflecting the entity’s specific protection needs
    are:
    1. implemented,
    2. documented, and
    3. regularly reviewed.

These requirements apply to:

  • staff of the financial entity, and
  • third parties (e.g., ICT service providers, consultants, contractors, partners).

The review must ensure continued adequacy of confidentiality measures in light of:

  • evolving business needs,
  • data classification changes, and
  • emerging cyber threats.

Basis for Design of the Policies, Procedures, Protocols and Tools

Under Article 14(2) RTS RMF, all policies and controls on information in transit must be designed on the basis of:

  1. The approved data classification
    • ensuring protection requirements reflect the sensitivity level of the data.
  2. The ICT risk assessment
    • ensuring that protection measures correspond to identified risks, threat exposure, interconnection profiles, and transmission environments.

This requirement establishes a direct dependency between:

  • the entity’s data classification scheme,
  • its ICT asset criticality mapping,
  • internal/external communication channels, and
  • its overall ICT risk profile.

Article 14 RTS RMF

RTS RMF