System Guides

 A.8.12 Data leakage prevention would include:

1. Data Leakage Prevention (DLP) Policy: Documentation of a formal DLP policy that outlines the organization's approach to preventing data leakage and unauthorized data disclosures.

2. DLP Configuration and Rules: Evidence of the configuration settings and specific rules set up within DLP solutions to monitor and control data movement both within the organization's network and across external channels.

3. DLP Implementation: Documentation of the implementation of DLP solutions and technologies, including details of any hardware or software used for data monitoring and prevention.

4. Incident Logs and Reports: Records of any incidents or alerts generated by the DLP system, indicating potential data leaks, and the corresponding actions taken to investigate and mitigate such incidents.

5. User Training and Awareness: Evidence of training and awareness programs conducted for employees regarding data leakage risks, preventive measures, and reporting procedures for suspected incidents.

6. Data Classification and Labeling: Documentation of data classification and labeling practices used to identify sensitive or confidential information, making it easier to apply appropriate DLP controls.

7. Endpoint Security: Information about endpoint security measures implemented to prevent data leaks from individual devices and endpoints within the organization.

8. Access Controls: Evidence of access controls and permissions granted to users, ensuring that data is only accessible to authorized individuals based on their roles and responsibilities.

9. Compliance Documentation: Evidence of compliance with relevant data protection regulations and industry standards related to data leakage prevention.

10. Data Leak Incident Response: Documentation of incident response plans and procedures in case of data leaks, outlining the steps taken to investigate, contain, and remediate the incident.

These pieces of evidence to assess the effectiveness of the organization's data leakage prevention measures, identify any potential vulnerabilities, and ensure that sensitive data is adequately protected against unauthorized disclosure and data breaches.

Data leakage can broadly be described as any information that is accessed, transferred or extracted by unauthorized internal and external personnel and systems, or malicious sources that target an organisation’s information operation. A data leak is an overlooked exposure of sensitive data, either electronically or physically. Data leaks could occur internally or via physical devices such as external hard drives or laptops.

A data leak is the accidental exposure of sensitive information. They’re caused by vulnerabilities in the security controls protecting confidential data. Data leaks can also be caused by cyber criminals publishing stolen data on their official dark web noticeboards, also known as ransomware blogs. Exposed data, such as leaked credentials, allows unauthorized access to an organization’s systems. This direct access enables hackers to carry out a range of cyber-attacks with less effort, such as: Ransomware and other types of malware injections, Social engineering, including phishing, Data exfiltration /data theft.

Data leaks occur when sensitive data is accidentally exposed publicly, either physically or digitally. Common causes of data leaks include: Misconfigured software settings, Social engineering, Recycled or weak passwords, Physical theft/loss of sensitive devices, Software vulnerabilities, Insider threats

The following data security practices could prevent data leaks and minimize the chances of data breaches

·        Evaluate the Risk of Third Parties:

·        Evaluate the Risk of Third Parties:,

·        Identify All Sensitive Data:

·        Secure All Endpoints:,

·        Implement Data Loss Prevention (DLP) Software,

·        Encrypt All Data,

·        Evaluate All Permissions,

·        Monitor the Security Posture of All Vendors

A.8.13 Information backup would include:

1. Backup Policy: Documentation of a formal backup policy that outlines the organization's approach to backing up critical information and data.

2. Backup Schedule: Records of scheduled backup activities, including the frequency of backups (e.g., daily, weekly, monthly) and the specific data and systems included in each backup.

3. Backup Storage: Evidence of secure backup storage facilities or systems, ensuring data integrity and protection against unauthorized access.

4. Backup Retention Period: Documentation of the organization's data retention policies, specifying how long backups are retained and when they are purged or archived.

5. Backup Testing: Records of regular testing and validation of backup procedures to ensure data restorability and accuracy in case of data loss or system failures.

6. Backup Verification: Evidence of periodic verification of backup data to confirm its consistency and validity.

7. Data Recovery Procedures: Documentation of data recovery procedures, including step-by-step instructions on how to restore data from backups.

8. Offsite Backup Storage: Evidence of offsite storage for backups, providing protection against physical damage or loss of data due to on-site incidents.

9. Encryption and Security Measures: Information about encryption and security measures implemented to protect backup data during storage and transmission.

10. Compliance Documentation: Evidence of compliance with relevant regulations and standards that require data backups for business continuity and disaster recovery purposes.

 The purpose of information backup is to ensure the availability and recoverability of critical data in case of data loss, system failures, or disaster events. As an auditor, I would review these pieces of evidence to assess the organization's backup procedures, data integrity, and the effectiveness of their backup strategy in safeguarding against potential data loss and ensuring business continuity