fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

 A.8.11 Data Masking would include:

  1. Data Masking Policy: Documentation of a formal data masking policy that outlines the organization's approach to protecting sensitive data through data masking techniques.

  2. Data Masking Procedures: Detailed procedures and guidelines on how data masking is applied to sensitive data, ensuring that original data is replaced with realistic but fictitious data in non-production environments.

  3. Data Masking Tools and Technologies: Documentation of the data masking tools and technologies used by the organization to implement data masking, including information about their configuration and integration with relevant systems.

  4. Data Masking Implementation: Evidence of the successful implementation of data masking techniques on databases, applications, and other data storage systems where sensitive information is stored.

  5. Data Masking Testing and Validation: Records of testing and validation processes to ensure that data masking is effective and that the masked data retains its integrity and usability for testing and development purposes.

  6. Access Controls: Evidence of access controls and permissions granted to users who have access to masked data in non-production environments, ensuring that only authorized individuals can view or manipulate this data.

  7. Compliance Documentation: Evidence of compliance with data protection regulations and industry standards related to data masking and data privacy.

  8. Data Masking Impact Assessment: Documentation of any assessments conducted to evaluate the impact of data masking on application functionality, performance, and usability.

  9. Training and Awareness: Evidence of training and awareness programs for employees involved in data masking processes, ensuring they understand the importance of data protection and the proper handling of masked data.

  10. Data Masking Audit Logs: Logs or records of data masking activities, changes, and access, as well as any incidents or anomalies related to masked data.

These pieces of evidence to assess the adequacy and effectiveness of the organization's data masking controls, ensuring that sensitive data is properly protected from unauthorized access and that the data masking techniques do not negatively impact the organization's operations or compliance efforts.

Data masking is a technique used to protect sensitive data – usually any data that could be deemed personally identifiable information (PII) – over and above an organisation’s standard information security protocols such as access control etc. Data masking, also known as data obfuscation, hides the actual data using modified content like characters or numbers. The main objective of data masking is creating an alternate version of data that cannot be easily identifiable or reverse engineered, protecting data classified as sensitive.

Where the protection of sensitive data (e.g. PII) is a concern, the organization should consider hiding such data by using techniques such as data masking, pseudonymization or anonymization. Pseudonymization or anonymization techniques can hide PII, disguise the true identity of PII principals or other sensitive information, and disconnect the link between PII and the identity of the PII principal or the link between other sensitive information. When using pseudonymization or anonymization techniques, it should be verified that data has been adequately pseudonymized or anonymized. 

Additional techniques for data masking include: encryption (requiring authorized users to have a key); nulling or deleting characters (preventing unauthorized users from seeing full messages); varying numbers and dates; substitution (changing one value for another to hide sensitive data); replacing values with their hash.

The following should be considered when implementing and using data masking, pseudonymization or anonymization techniques:

·        level of strength of data masking, pseudonymization or anonymization according to the usage of the processed data;

·        access controls to the processed data;

·        agreements or restrictions on usage of the processed data;

·        prohibiting collating the processed data with other information in order to identify the PII principal;

·        keeping track of providing and receiving the processed data.

·        any legal or regulatory requirements (e.g., requiring the masking of payment cards’ information during processing or storage).

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

 A.8.12 Data leakage prevention would include:

  1. Data Leakage Prevention (DLP) Policy: Documentation of a formal DLP policy that outlines the organization's approach to preventing data leakage and unauthorized data disclosures.

  2. DLP Configuration and Rules: Evidence of the configuration settings and specific rules set up within DLP solutions to monitor and control data movement both within the organization's network and across external channels.

  3. DLP Implementation: Documentation of the implementation of DLP solutions and technologies, including details of any hardware or software used for data monitoring and prevention.

  4. Incident Logs and Reports: Records of any incidents or alerts generated by the DLP system, indicating potential data leaks, and the corresponding actions taken to investigate and mitigate such incidents.

  5. User Training and Awareness: Evidence of training and awareness programs conducted for employees regarding data leakage risks, preventive measures, and reporting procedures for suspected incidents.

  6. Data Classification and Labeling: Documentation of data classification and labeling practices used to identify sensitive or confidential information, making it easier to apply appropriate DLP controls.

  7. Endpoint Security: Information about endpoint security measures implemented to prevent data leaks from individual devices and endpoints within the organization.

  8. Access Controls: Evidence of access controls and permissions granted to users, ensuring that data is only accessible to authorized individuals based on their roles and responsibilities.

  9. Compliance Documentation: Evidence of compliance with relevant data protection regulations and industry standards related to data leakage prevention.

  10. Data Leak Incident Response: Documentation of incident response plans and procedures in case of data leaks, outlining the steps taken to investigate, contain, and remediate the incident.

These pieces of evidence to assess the effectiveness of the organization's data leakage prevention measures, identify any potential vulnerabilities, and ensure that sensitive data is adequately protected against unauthorized disclosure and data breaches.

Data leakage can broadly be described as any information that is accessed, transferred or extracted by unauthorized internal and external personnel and systems, or malicious sources that target an organisation’s information operation. A data leak is an overlooked exposure of sensitive data, either electronically or physically. Data leaks could occur internally or via physical devices such as external hard drives or laptops.

A data leak is the accidental exposure of sensitive information. They’re caused by vulnerabilities in the security controls protecting confidential data. Data leaks can also be caused by cyber criminals publishing stolen data on their official dark web noticeboards, also known as ransomware blogs. Exposed data, such as leaked credentials, allows unauthorized access to an organization’s systems. This direct access enables hackers to carry out a range of cyber-attacks with less effort, such as: Ransomware and other types of malware injections, Social engineering, including phishing, Data exfiltration /data theft.

Data leaks occur when sensitive data is accidentally exposed publicly, either physically or digitally. Common causes of data leaks include: Misconfigured software settings, Social engineering, Recycled or weak passwords, Physical theft/loss of sensitive devices, Software vulnerabilities, Insider threats

The following data security practices could prevent data leaks and minimize the chances of data breaches

·        Evaluate the Risk of Third Parties:

·        Evaluate the Risk of Third Parties:,

·        Identify All Sensitive Data:

·        Secure All Endpoints:,

·        Implement Data Loss Prevention (DLP) Software,

·        Encrypt All Data,

·        Evaluate All Permissions,

·        Monitor the Security Posture of All Vendors

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.8.13 Information backup would include:

  1. Backup Policy: Documentation of a formal backup policy that outlines the organization's approach to backing up critical information and data.

  2. Backup Schedule: Records of scheduled backup activities, including the frequency of backups (e.g., daily, weekly, monthly) and the specific data and systems included in each backup.

  3. Backup Storage: Evidence of secure backup storage facilities or systems, ensuring data integrity and protection against unauthorized access.

  4. Backup Retention Period: Documentation of the organization's data retention policies, specifying how long backups are retained and when they are purged or archived.

  5. Backup Testing: Records of regular testing and validation of backup procedures to ensure data restorability and accuracy in case of data loss or system failures.

  6. Backup Verification: Evidence of periodic verification of backup data to confirm its consistency and validity.

  7. Data Recovery Procedures: Documentation of data recovery procedures, including step-by-step instructions on how to restore data from backups.

  8. Offsite Backup Storage: Evidence of offsite storage for backups, providing protection against physical damage or loss of data due to on-site incidents.

  9. Encryption and Security Measures: Information about encryption and security measures implemented to protect backup data during storage and transmission.

  10. Compliance Documentation: Evidence of compliance with relevant regulations and standards that require data backups for business continuity and disaster recovery purposes.

 The purpose of information backup is to ensure the availability and recoverability of critical data in case of data loss, system failures, or disaster events. As an auditor, I would review these pieces of evidence to assess the organization's backup procedures, data integrity, and the effectiveness of their backup strategy in safeguarding against potential data loss and ensuring business continuity

 

USER GUIDES

Image
Empowering organizations to achieve their performance objectives through a unique blend of consulting expertise and technology-driven solutions.

More Links

FEATURED SERVICES

Performance Improvement Consulting

ISO Management Systems Training

Customized Consulting Services

Technology Integration Solutions

 

ISO Compliance Software
Integrate . Mantain . Comply

Search