SOC 2 CC6.7: Information Transmission Restrictions
CC6.7 requires organizations to control who can transmit, move, and remove sensitive information—both internally and to external parties. Without proper transmission controls, data in motion becomes vulnerable to interception and unauthorized access. This control ensures your information reaches only authorized recipients while remaining protected throughout its journey.
What this means
Information Transmission Restrictions means establishing and enforcing policies that limit data transmission, movement, and removal to only authorized internal staff and external partners. The control requires protecting information during all phases of transmission—whether moving data between systems, sending it to third parties, or removing it from your environment. This includes encryption in transit, secure transfer protocols, and clear authorization workflows that prevent unauthorized data exposure.
How to comply
- 1.Inventory all data transmission pathways and identify where sensitive information moves within and outside your organization
- 2.Define authorization criteria for data transmission and document who can send what information to which recipients or systems
- 3.Implement encryption for data in transit using TLS 1.2+ for network communications and secure protocols for file transfers
- 4.Deploy data loss prevention (DLP) tools to monitor and block unauthorized transmission attempts
- 5.Establish secure file transfer mechanisms (SFTP, secure APIs, encrypted email) as standard procedures
- 6.Create audit trails that log all data transmission events, including sender, recipient, data type, and timestamp
- 7.Conduct quarterly reviews of transmission logs to identify anomalies or policy violations
- 8.Train staff on data transmission policies and approved channels for sharing sensitive information
- 9.Test transmission controls through penetration testing and simulated data exfiltration scenarios
Evidence auditors look for
- Data Classification Policy documenting which information requires transmission controls
- Approved Transfer Methods Matrix listing authorized protocols and channels for different data types
- Encryption Configuration Documentation showing TLS settings and in-transit protection standards
- DLP Tool Logs demonstrating blocked unauthorized transmission attempts
- Transmission Access Logs with timestamps, user IDs, data classifications, and recipient information
- Employee Training Records confirming staff completion of data transmission security training
- Quarterly Transmission Control Review Reports identifying policy violations or suspicious patterns
- Third-Party Data Sharing Agreements specifying transmission methods and security requirements
- Penetration Test Results showing transmission control effectiveness against simulated attacks
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates transmission control monitoring by tracking and logging all data movements across your environment, flagging unauthorized transfer attempts in real-time, and generating SOC 2 CC6.7 evidence reports—eliminating manual DLP log reviews.
See how GRCWatch handles this control automatically
Start free trial