In December 2022, The Canberra Cyber Hub began exploring 11 recent updates to ISO 27001, the certification framework for information management systems. Our previous articles covered the introduction of the Data Leakage Prevention, Web Filtering, and Information Security for the use of Cloud Services.
This month, the Canberra Cyber Hub sat down with Rajiv Shah, Country Director for Net Consulting, along with Eva Chen, Aiden Toscan, Emily Ogilvie and Jake Harding from Ionize as they explore the benefits of using ISO 27001 to protect data assets via data masking, data deletion and configuration management.
Why ISO 27001?
In simple terms, there are two key reasons you would want to implement ISO 27001. Firstly, to protect your data assets, and secondly, because it is a business requirement.
The beauty of ISO 27001 is that it is a comprehensive standard that covers everything from Governance to technical controls and can be tailored to work with any industry of any size.
If your key reason is to protect your data assets, then you can align to the standard without the expense of accreditation. If the reason is due to business requirements, then typically you will need to achieve an accreditation. However, that accreditation can be limited to the scope of the business requirement, for example a single specific application, with other elements of the business continuing along the alignment path.
The comprehensive nature of the 27001 standards does mean that implementing it can be a large-scale program that may take a year or more. Also, as with all things cyber-related, once the job is done that doesn’t mean you can kick back and relax – you will need to continue to maintain your controls, ensuring they are being followed and kept up to date.
However, as we’ve seen from the series of ISO 27001 articles the Canberra Cyber Hub has published, the controls can be broken down into bite-sized chunks that can be prioritised and scheduled to meet your business needs. Below we have discussed the final few controls to complete the series. Don’t forget, there are lots of Canberra-based cyber companies that can help you if needed!
Data Masking is a newly introduced control to the ISO 27001 standard, but it is a well-known concept. It is a set of techniques to conceal sensitive data and should be considered across almost all aspects of your business from security monitoring at packet level to expansive data leaks and your everyday office application activities. By hiding data from those who don’t need to see it, you reduce the risk of that sensitive data ending up in the wrong hands.
When implementing data masking you should consider:
- The reason for its implementation (legal, regulatory/industry, contractual/business)
- Who will have access to the data and what data do they require to complete their role and possibly only a specific task for a specific subject within that role,
- Verification that the masking activities have been sufficient to meet the requirement considering any unmasked data and any co-located data.
In many areas, data masking technology not only exists, but is mature and easy to implement. For example, many database solutions have built in functions used to mask sensitive fields such as personally identifiable information (PII). A quick search on Google will also deliver a plethora of technologies and service providers, should you require additional assistance.
Of course, when planning your data masking controls, it’s worth asking if you need to collect and retain the data in the first place – or if it can be deleted – a subject that we will now consider.
The ISO 27001:2022 standard introduced a protective control on information deletion reducing the risk of sensitive information being exposed unnecessarily. The new control states that “information stored in information systems, devices or in any other storage media should be deleted when no longer required”. The General Data Protection Regulation article 17 “right to be forgotten” is the equivalent aiming to reduce such risk.
There are several considerations when implementing this control. Firstly, information should be deleted in accordance with relevant laws and legislations the organisation is in. For example, Australian Government agencies are subject to the minimum data retention requirement under Section 24 of the Archives Act 1983 for Commonwealth records.
Secondly, information should be deleted securely by automating through system configurations, using approved secure software, approved disposal providers, or approved storage disposal mechanisms such as United States’ National Security Agency-approved degaussers. In addition, the disposal activities (information and if applicable its storage device) are to be logged for auditing purposes. Organisations utilising cloud services for their systems should understand their providers’ information deletion process to determine if the process is acceptable. Whether on the cloud or on-premises, you should also consider what backups are held of the deleted data and where – and decide whether you need to take any action about these.
The introduction of the configuration management control within the ISO 27001:2022 framework comes due to the recent increase of major data breaches where misconfigurations within an organization’s IT system was a factor. Configuration management forms the baseline of security in every organisation, allowing them to standardise environments, limit unknown network components, ensure systems are adequately hardened, identify issues and security attacks, minimise unauthorised or incorrect changes and ensure software, systems, services, and networks operate as intended.
Other key benefits of configuration management include the ability to be supported with automation for less operational overhead, it provisions information security policy, standards and other security requirements and allows for the creation of standard operating environments for consistency in operations.
The initial establishment of system configurations should consider how to set a security baseline, making use of resources such as vendor-provided templates and best practice guidelines. In a legacy environment there will always be some systems that cannot comply with the planned baseline controls - such systems should be reviewed, remediated or risk-managed.
A key component of configuration management, that is often overlooked by organisations, in that it is a lifecycle process, rather than a one-time, set-and-forget method of securing a network. As outlined in the ISO 27001:2022 control (Control 8.9), configurations should be established, documented, implemented, monitored, and reviewed periodically. Once your baseline is in place, tools that enforce the previously defined configurations should then be implemented to ensure all new systems meet the baseline, and then used for ongoing management.
Overall, the implementation of the new configuration management control will better position organisations to prevent against undocumented changes, unauthorised access, data loss and data spills thus reducing the risks associated with the ever-changing cyber threat landscape we operate in.