ISO 27001:2022  A 7.10 Storage media

Uncategorized 9 Minutes

The objective of this control is to prevent unauthorized disclosure, modification, removal or destruction of information stored on media. In computers, a storage media are physical devices that receives and retains electronic data for applications and users and makes data available for retrieval. It might be inside a computer or other device or attached to a system externally, either directly or over a network. The singular form of this term is storage medium.Storage media comes in many different forms, among them:

  1. Hard disk drives:It contains metal platters coated with a magnetic layer. The platters usually spin continuously when a computer is on, storing data in different sectors on the magnetic disk.
  2. RAID: It works by placing data on multiple disks and balancing input/output (I/O) operations across those disks.
  3. Flash memory:Here data is written to microchips, making storage operations much faster than traditional disks.
  4. SSD :SSDs is both network-based storage — such as NAS and SAN — and direct-attached storage (DAS)
  5. USB flash drives: A USB flash drive is a type of removable storage medium that attaches to a server or other device through a USB port.
  6. Optical disc: Optical disc technology uses lasers to write and read data.
  7. Tape: Tape was a dominant backup storage medium until the 1990s but was gradually pushed aside by magnetic disk.

Use of storage media devices such as solid-state drives (SSDs), USB sticks, external drives, and mobile phones are vital to many critical information processing operations such as data back-up, data storage, and information transfer. However, the storage of sensitive and critical information on these devices introduces risks to the integrity, confidentiality, and availability of information assets. These risks may include loss or theft of storage media containing sensitive information, propagation of malware into all corporate computing networks via the storage media, and failure and degradation of storage media devices used for data back-up. This Control addresses how organisations can establish appropriate procedures, policies, and controls to maintain the security of storage media throughout its life cycle, from its acquisition to its disposal.

Control

Storage media should be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

Purpose

To ensure only authorized disclosure, modification, removal or destruction of information on storage media.

ISO 27002 Implementation Guidance

Removable storage media

The following guidelines for the management of removable storage media should be considered:

  1. establishing a topic-specific policy on the management of removable storage media and communicating such topic- specific policy to anyone who uses or handles removable storage media;
  2. where necessary and practical, requiring authorization for storage media to be removed from the organization and keeping a record of such removals in order to maintain an audit trail;
  3. storing all storage media in a safe, secure environment according to their information classification and protecting them against environmental threats (such as heat, moisture, humidity, electronic field or ageing), in accordance with manufacturers’ specifications;
  4. if information confidentiality or integrity are important considerations, using cryptographic techniques to protect information on removable storage media;
  5. to mitigate the risk of storage media degrading while stored information is still needed, transferring the information to fresh storage media before becoming unreadable;
  6. storing multiple copies of valuable information on separate storage media to further reduce the risk of coincidental information damage or loss;
  7. considering the registration of removable storage media to limit the chance for information loss;
  8. only enabling removable storage media ports [e.g. secure digital (SD) card slots and universal serial bus (USB) ports] if there is an organizational reason for their use;
  9. where there is a need to use removable storage media, monitoring the transfer of information to such storage media;
  10. information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending storage media via the postal service or via courier.
  11. In this control, media includes paper documents. When transferring physical storage media, apply security measures in control for information transfer


Secure reuse or disposal
Procedures for the secure reuse or disposal of storage media should be established to minimize the risk of confidential information leakage to unauthorized persons. The procedures for secure reuse or disposal of storage media containing confidential information should be proportional to the sensitivity of that information. The following items should be considered:

a) if storage media containing confidential information need to be reused within the organization, securely deleting data or formatting the storage media before reuse;
b) disposing of storage media containing confidential information securely when not needed anymore (e.g. by destroying, shredding or securely deleting the content);
c) having procedures in place to identify the items that can require secure disposal;
d) many organizations offer collection and disposal services for storage media. Care should be taken in selecting a suitable external party supplier with adequate controls and experience;
e) logging the disposal of sensitive items in order to maintain an audit trail;
f) when accumulating storage media for disposal, giving consideration to the aggregation effect, which can cause a large quantity of non-sensitive information to become sensitive.

A risk assessment should be performed on damaged devices containing sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded .

Other information

When confidential information on storage media is not encrypted, additional physical protection of the storage media should be considered.

 This control enables organisations to eliminate and mitigate risks of unauthorized access to, use, deletion, modification, and transfer of sensitive information hosted on storage media devices by setting out procedures for the handling of storage media across its entire life cycle. It applies both to digital and physical storage media such as storage of information on physical files. It requires organisations to create and implement appropriate procedures, technical controls, and organisation-wide policies on the use of storage media based on the organisation’s own classification scheme and its data handling requirements such as legal and contractual obligations. Procedures must be put in place for the management of removable media in accordance with the classification scheme. General use of removable media must be risk assessed and it may be necessary to carry out use-specific risk assessments beyond that too. Removable media should only be allowed if there is a justified business reason. If no longer required, the contents of any re-usable media should be made unrecoverable and securely destroyed or erased. All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications and additional techniques like cryptography considered where appropriate (i.e. as part of the risk assessment). Where necessary and practical, authorization should be required for media removed from the organisation, and a record kept in order to maintain an audit trail.

When no longer required media must be disposed of securely by following documented procedures. These procedures minimize the risk of confidential information leakage to unauthorized parties. The procedures should be proportional to the sensitivity of the information being disposed. Things that should be considered include; whether or not the media contains confidential information; and having procedures in place which help identify the items which might. require secure disposal. Any media containing information needs to be protected against unauthorized access, misuse or corruption during transportation (unless already publicly available). The following should be considered to protect media when being transported; Reliable transport or couriers should be used – perhaps a list of authorized couriers should be agreed with management; Packaging should be sufficient in order to protect the contents from any physical damage during transit; and Logs should be kept, identifying the content of the media and the protection applied.It should also be noted that when confidential information on media is not encrypted, additional physical protection of the media should be considered.

Equipment, information or software taken off-site needs management too. That might be controlled with some form of check in-out process or more simply associated to an employee as part of their role and managed in accordance with their terms and conditions of employment . In the ever mobile working world, some assets such as mobile devices, may be routinely removed from organisational premises to facilitate mobile or home working. Where assets are not designed to be routinely removed from site or if they are of a sensitive, highly classified, valuable or fragile nature then processes should be in place to request and authorize removal and to check return of the assets. Consideration for limiting the length of time assets are allowed to be removed for should be made and should be risk based. The auditor will be looking to see that these risk assessments have been carried out for when non-routine removal of assets occurs and for policies that determine what is and isn’t routine.

Management of Removable Media

Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important. While removable storage media is essential to many business operations and they are commonly used by most personnel, they present the highest degree of risk to the sensitive information.The organisations should adhere to for the management of removable storage media throughout its life cycle:

  • Organisations should establish a topic-specific policy on the acquisition, authorization, use, and disposal of removable storage media. This policy should be communicated to all personnel and to all relevant parties.
  • If it is practical and necessary, organisations should put in place authorization procedures on how removable storage media can be taken out of corporate premises. Furthermore, organisations should maintain log records of the removal of storage media for audit trail purposes.
  • All removable storage media should be stored in a secure area such as a safe, taking into account the information classification level assigned to the information and the environmental and physical threats to storage media.
  • If confidentiality and integrity of information contained on removable storage media are of critical importance, cryptographic techniques should be used to protect the storage media against unauthorized access.
  • Against the risk of degradation of removable storage media and loss of information stored on the media, the information should be transferred to a new storage media device before such risk occurs.
  • Critical and sensitive information should be copied and stored on multiple storage media to minimize the risk of loss of critical information.
  • To mitigate the risk of complete loss of information, registration of removable storage media devices can be an option to consider.
  • Unless there is a business-related reason to use removable storage media ports such as USB ports or SD card slots, they should not be allowed.
  • There needs to be a monitoring mechanism in place for the transfer of information to removable storage media devices.
  • When information contained in physical mediums such as papers is transferred via courier or post, there is a high risk of unauthorized access to this information. Therefore, appropriate measures should be applied.

Secure Reuse or Disposal

Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.It provides separate guidance on secure reuse and disposal of storage media so that organisations can mitigate and eliminate risks to the compromise of the confidentiality of information. The organisations should define and apply procedures for the reuse and disposal of storage media, taking into account the sensitivity level of information contained in the storage media.

  • If a storage media will be reused by an internal party within an organisation, the sensitive information hosted on that storage media should be irreversibly deleted or reformatted before it is authorised for reuse.
  • Storage media hosting sensitive information should be destroyed in a secure manner when it is no longer needed. For instance, paper documents can be shredded and digital equipment can be physically destroyed.
  • There should be a procedure for the identification of storage media items that need to be disposed of.
  • When organisations choose to work with an external party to handle the collection and disposal of storage media, they should conduct due diligence to ensure that chosen vendor is competent and it implements appropriate controls.
  • Maintaining a record of all disposed items for audit trail.
  • When multiple storage media is to be disposed of together, the accumulation effect should be taken into account: Combining different information pieces from each storage media may transform non-sensitive information into sensitive information.
  • Organisations must carry out a risk assessment on damaged equipment storing confidential information to decide if the equipment should be destroyed instead of being repaired.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply