If you don’t have it, malicious actors can’t get it. Deleting, masking and preventing data leakage with controls A.8.10 and A.8.11 of ISO 27001:2022.

A.8.10 Information deletion

The aim of this new control is to prevent unnecessary exposure of sensitive information and comply with legal, statutory, regulatory, and contractual requirements for information deletion.

Putting it basically, data should not be kept for longer than it is required. When you no longer have a need for it, it should be deleted to reduce the risk of it being disclosed, and introducing a lot of bad publicity as has been seen in previous data breaches within Australia.

When deleting the information, you should determine appropriate means of deleting the data based on business requirements and considering relevant laws and regulations. Methods for deleting sensitive data can include electronic overwriting or cryptographic erasure. Evidence of deletion results should be recorded, especially if you are using a third-party supplier to delete the data or destroy any devices.

Also, important here, is that any deletion and data retention policy should consider relevant legislation and regulations on how long data should be retained for, and for any deletion measures. 

Lastly, but by no means least, is the consideration of deleting data from devices within your business when they are no longer required or leave the premises. This includes when equipment is returned to suppliers or when the equipment reaches the end of its service life and is disposed of as in control A.7.14. 

Keeping records of information deletion is useful when analysing a data breach or other event where information is potentially lost.
 

A.8.11 Data masking

This new control aims to limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.
Data masking is a technique used by systems and organisations to hide, anonymise or pseudonymise PII data. 

Pseudonymisation is the process of replacing most identifying fields within a dataset by artificial identifiers. This way the data cannot be identified without additional information which is kept separately.

Anonymisation is the process of removing any information which may be able to be used to identify the data subject.

Data which should be anonymised can include: 

• Names, including first name, family name, maiden names, aliases.
• Address information, including postal addresses, telephone numbers, postcodes, cities.
• IDs, including bank account details, credit card numbers, license or other identity information such as security cards, passports.

Techniques you can use to anonymise the data include:

• Directory replacement, such as replacing an address by City and State
• Replacing values by their hash,
• Scrambling, letters or numbers or substituting characters to hide the data.

Masking is done by a lot of systems including banks and other payment handlers to meet legal and regulatory requirements around masking card holders’ information by replacing numbers with the '*' character. 

To prevent personal data from being displayed on screens, some systems will only show the bare minimum data set on a screen and then require the user to re-authenticate using a passcode sent to them or re-entering their password before being able to see the personal data field. 

When determining the most appropriate way to anonymise data, be sure that any remaining data from the obfuscation cannot be used in conjunction with other data in the dataset to indirectly identify the data subject. 
 

Other Posts

• Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
• Read the previous post in the series: Mitigating Threats Through Effective Management of Vulnerabilities and Configurations in Controls A.8.08 and A.8.09
• Read the previous post in the series: Data Resilience: Protecting Against Leaks, Loss, and Downtime with Controls 8.12 – 8.14