Technical Measures in Information Security

Content

• Corporate information as a coveted target of attack
• 3 new measures for more information security 
• Deletion of information
• Data masking
• Prevention of data leaks
• Technical measures in information security - a conclusion
• What does the update mean for your certification?
• DQS: Your competent partner for certified information security

Corporate information as a coveted target of attack

The "Business Protection 2022" study by industry association Bitkom confirms that hackers are very much aware of the economic value of information and data in today's business world: 36 percent of the companies surveyed have already been affected by the theft of sensitive data or digital information. Particularly popular targets are communications data at 68 percent and customer data at 45 percent. The damage caused by blackmail, patent infringements and lost sales directly attributable to data theft is in the range of several billion euros.

Companies and organizations need to further strengthen protection when processing their critical data. Additional guidelines help to further improve the overall security concept and reduce the attack surface.

3 new measures for more information security

The 93 measures in Annex A of ISO/IEC 27001:2022 are now available reorganized into four topics:

• Organizational measures,
• Personal measures,
• Physical measures and
• Technical measures.

The three new measures for information protection, which we will look at in more detail below, are from the "Technical Measures" topic area:

• 8.10 Deletion of information
• 8.11 Data masking
• 8.12 Prevention of data leaks

Deletion of information

Control 8.10 addresses the risks posed by information that is no longer needed and resides on information systems, devices, or other storage media. Deleting this already unnecessary data prevents its disclosure - ensuring compliance with legal, statutory, regulatory and contractual requirements for data deletion. In doing so, companies and organizations should consider the following:

• Choosing an erasure method (e.g., electronic overwriting or cryptographic erasure) that is appropriate in light of the business and regulatory environment
• Documentation of the results
• Providing evidence when using service providers to delete information

If third parties take over data storage on behalf of the company, requirements for deletion should be included in the contract agreement to enforce this during and also after termination of these services.

To ensure the reliable removal of sensitive information - while ensuring compliance with relevant data retention policies and applicable laws and regulations - the standard provides for the following procedures, services, and technologies:

• Establishment of dedicated systems that enable secure destruction of information, for example, according to retention policies or at the request of affected individuals;
• Deletion of obsolete versions, copies, or temporary files on all storage media;
• Use of only approved and secure erasure software to permanently and permanently remove information;
• Deletion via approved and certified secure disposal service providers;
• Use of disposal methods appropriate for the particular storage medium being disposed of, such as demagnetization of hard drives.

When using cloud services, it is important to check the permissibility of the deletion procedures offered. If this is given, the organization should use the deletion procedure or request the cloud provider to delete the information. If possible, these deletion processes should be automated as part of the subject-specific guidelines.

To prevent inadvertent disclosure of sensitive information, all device storage returned to vendors should be removed prior to return. On some devices (such as smartphones), data removal is only possible through destruction or internal functions (e.g., restoring factory settings). Depending on the classification of the information, it is necessary to choose an appropriate procedure.

Deletion processes should be documented depending on the sensitivity in order to be able to prove the removal of data in case of doubt.

Data masking

For a range of sensitive information such as personal data processing, company or industry-specific or regulatory requirements stipulate masking, pseudonymization or anonymization of the information. A guideline for these measures is provided by Control 8.11.

Pseudonymization or anonymization techniques make it possible to mask personal data, obscure the true data, and hide cross-links of information. To implement this effectively, it is important to adequately address all relevant elements of sensitive information. While anonymization changes the data irrevocably, in the case of pseudonymization it is quite possible to derive conclusions about a true identity via additional cross-information. Therefore, additional cross information should be kept separate and protected during the pseudonymization process.

Other techniques for data masking include:

• Encryption;
• Nulling or deleting characters;
• Different numbers and dates;
• Substitution (replacing one value with another to hide sensitive data);
• Replacing values with their hash.

When implementing these techniques, it is important to consider a number of aspects:

• Users should not have access to all data, but should be able to view only the data they really need.
• In some cases, not all data in a data set should be visible to users. In this case, procedures for data obfuscation should be designed and implemented. (Example: patient data in a medical record that should not be visible to all staff, but only to employees with specific roles relevant to treatment).
• In some cases, the obfuscation of data should not be apparent to those accessing the data (obfuscation of obfuscation), if, for example, conclusions can be drawn about the actual date via the data category (e.g., pregnancy, blood test, etc.).
• Legal or regulatory requirements (for example, the requirement to mask payment card data during processing or storage);

In general, data masking, pseudonymization or anonymization require some general points:

• The strength of data masking, pseudonymization or anonymization depends largely on the use of the processed data;
• Access to the processed data should be secured by appropriate protection mechanisms;
• Consideration of agreements or restrictions regarding the use of processed data;
• Prohibiting processed data from being matched with other information to identify the data subject;
• Provision and receipt of processed data must be securely tracked and controlled

Prevention of data leaks

Control 8.12 is designed to prevent data leakage and formulates specific measures to be applied to all systems, networks, and other devices that process, store, or transmit sensitive information. To minimize the leakage of sensitive data, organizations should consider the following:

• Identifying and classifying information (e.g., personal data, pricing models, and product designs);
• Monitoring the channels through which data can leak out, such as email, file transfers, mobile devices and mobile storage;
• Measures to prevent data leakage (e.g., quarantining emails containing sensitive information);

To prevent data leaks in modern, complex IT structures with their multitude of very different data, organizations also need suitable tools to

• Identify and monitor sensitive information at risk of unauthorized disclosure (e.g., in unstructured data on a user's system),
• Detect disclosures of sensitive data (e.g., when data is uploaded to untrusted third-party cloud services or sent via email); and
• Block user actions or network transmissions that reveal critical information (e.g., preventing database entries from being copied to a spreadsheet).

Organizations should determine whether it is necessary to restrict users' permissions to copy, paste, or upload data to services, devices, and storage media outside the organization. If necessary, it may also be necessary to implement appropriate data leak prevention tools or configure existing technologies appropriately.

For example, users may be given permission to view and edit data remotely - but not permission to copy and paste it outside of the organization's control. If data export is still required, the data owner can approve it as a case-by-case basis and hold users accountable for unwanted activity, if necessary.

The prevention of data leaks also explicitly applies to the protection of confidential or secret information that can be misused for espionage purposes or be of vital importance to the community. In this case, measures should also be designed to confuse attackers - e.g., by substituting with false information, reverse social engineering, or using honey pots to lure attackers. 

Data leaks can be supported by standard security controls, for example, via topic-specific policies for access control and secure document management (see also Measures/Controls 5.12 and 5.15).

Important to note when using monitoring tools: to protect their own information, many tools also inevitably monitor the communications and online activities of employees and messages from third parties. This monitoring raises different legal issues that must be considered before using the appropriate monitoring tools. There is a need to balance the level of monitoring with a variety of privacy, data protection, employment, data interception and telecommunications legislation.

Technical measures in information security - a conclusion

In the overall context of the 3 principles of information security - confidentiality integrity and availability - the data processing procedures described here play a key role in the enhanced protection of sensitive data. With continuous monitoring of data and information flows, masking of sensitive information, and strict data deletion policies, organizations can sustainably improve their protection against data leakage and data loss - and counteract the unintentional release of critical information. In addition, the procedures make a decisive contribution to company-wide cybersecurity and minimize the attack surface for hackers and industrial espionage.

For companies and organizations, it is now a matter of establishing the procedures and the required tools appropriately and integrating them into their business processes in order to prove, among other things, the compliant implementation of the requirements, e.g. in future certification audits. We support you with the professional view of our experienced auditors. With our audit and certification expertise of more than 35 years, we recommend ourselves as your contact for the topics of information security and certifications according to ISO/IEC 27001:2022.

What does the update mean for your certification?

ISO/IEC 27001:2022 was published on October 25, 2022. This results in the following deadlines and timeframes for users to transition:

Certification readiness according to ISO/IEC 27001:2022

• November 2023 at the latest (depending on DAkkS Deutsche Akkreditierungsstelle GmbH).

Last date for initial/re-certification audits according to the "old" ISO 27001:2013

• After April 30, 2024 DQS will perform initial and recertification audits only according to the new standard ISO/IEC 27001:2022

Conversion of all existing certificates according to the "old" ISO/IEC 27001:2013 to the new ISO/IEC 27001:2022

• there is a 3-year transition period starting from October 31, 2022
• issued certificates according to ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 are valid until October 31, 2025 at the latest or have to be withdrawn on this date.

DQS: Your competent partner for certified information security

Thanks to the transition periods, companies have enough time to adapt their ISMS according to the new requirements and to have it certified. However, the duration and effort of the entire change process should not be underestimated - especially if you do not have sufficient specialized personnel. If you want to be on the safe side, you should deal with the issue sooner rather than later and call on experienced specialists if necessary.

As audit and certification experts with more than 35 years of expertise, we are happy to support you in evaluating your current status, e.g. as part of a delta audit. Find out from our numerous experienced auditors about the most important changes and their relevance for your organization. Together we will discuss your potential for improvement and support you until you receive your new certificate. We look forward to hearing from you.