Data leakage prevention has been added to ensure organisations have measures to detect and prevent the unauthorized disclosure and extraction of information by both individuals or systems. Data leakage can broadly be described as any information that is accessed, transferred or extracted by unauthorized internal and external personnel and systems, or malicious sources that target an organisation’s information operation. A data leak is an overlooked exposure of sensitive data, either electronically or physically. Data leaks could occur internally or via physical devices such as external hard drives or laptops. If a cyber criminal locates a data leak, they can use the information to arm themselves for a data breach attack. Data leaks are an easy attack vector for cyber criminals. A data leak is the accidental exposure of sensitive information. These events are not initiated by an external impetus. They’re caused by vulnerabilities in the security controls protecting confidential data. Data leaks can also be caused by cyber criminals publishing stolen data on their official dark web noticeboards, also known as ransomware blogs. Exposed data, such as leaked credentials, allows unauthorized access to an organization’s systems. This direct access enables hackers to carry out a range of cyber attacks with less effort, such as:

• Ransomware and other types of malware injections
• Social engineering, including phishing
• Data exfiltration /data theft

Controls

Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Purpose

To detect and prevent the unauthorized disclosure and extraction of information by individuals or systems.

ISO 27002 Implementation Guidance

The organization should consider the following to reduce the risk of data leakage:
a) identifying and classifying information to protect against leakage (e.g. personal information, pricing models and product designs);
b) monitoring channels of data leakage (e.g. email, file transfers, mobile devices and portable storage devices);
c) acting to prevent information from leaking (e.g. quarantine emails containing sensitive information).
Data leakage prevention tools should be used to:
a) identify and monitor sensitive information at risk of unauthorized disclosure (e.g. in unstructured data on a user’s system);
b) detect the disclosure of sensitive information (e.g. when information is uploaded to untrusted third-party cloud services or sent via email);
c) block user actions or network transmissions that expose sensitive information (e.g. preventing the copying of database entries into a spreadsheet).
The organization should determine if it is necessary to restrict a user’s ability to copy and paste or upload data to services, devices and storage media outside of the organization. If that is the case, the organization should implement technology such as data leakage prevention tools or the configuration of existing tools that allow users to view and manipulate data held remotely but prevent copy and paste outside of the organization’s control. If data export is required, the data owner should be allowed to approve the export and hold users accountable for their actions. Taking screenshots or photographs of the screen should be addressed through terms and conditions of use, training and auditing. Where data is backed up, care should be taken to ensure sensitive information is protected using measures such as encryption, access control and physical protection of the storage media holding the backup. Data leakage prevention should also be considered to protect against the intelligence actions of an adversary from obtaining confidential or secret information (geopolitical, human, financial, commercial, scientific or any other) which can be of interest for espionage or can be critical for the community. The data leakage prevention actions should be oriented to confuse the adversary’s decisions for example by replacing authentic information with false information, either as an independent action or as response to the adversary’s intelligence actions. Examples of these kinds of actions are reverse social engineering or the use of honeypots to attract attackers.

Other information

Data leakage prevention tools are designed to identify data, monitor data usage and movement, and take actions to prevent data from leaking (e.g. alerting users to their risky behavior and blocking the transfer of data to portable storage devices). Data leakage prevention inherently involves monitoring personnel’s communications and online activities, and by extension external party messages, which raises legal concerns that should be considered prior to deploying data leakage prevention tools. There is a variety of legislation relating to privacy, data protection, employment, interception of data and telecommunications that is applicable to monitoring and data processing in the context of data leakage prevention. Data leakage prevention can be supported by standard security controls, such as topic-specific policies on access control and secure document management

Data leakage is a common problem within organisations that deal with large amounts of data, of different classifications, across multiple standalone and linked ICT systems, applications and file servers.‍Data leakage prevention is a cyber security practice that involves implementing secure data practices to reduce accidental exposure. The control is regarding data leakage prevention measures which should be applied to systems, networks and any other devices that process, store, or transmit information. While it can be difficult to detect data leakage within your organisation, we recommend starting with a detailed risk assessment of the data you handle. This will help you to identify any weaknesses in your current data processing procedures that could lead to an unauthorized disclosure of data. Although prevention is better than cure, many organisations take an “assumed breach” approach and on that basis you may also consider “seeding” datasets with uniquely identifiable information that you can easily detect via scans of ‘dark web’ or ‘pasted’ data.Organisations can apply the organisation’s classification scheme to information, having techniques to monitor for data leakage, such as email scanning, file transfers and control of mobile storage devices. and tools to block user actions that could expose sensitive information for example preventing the copying of information from a database into a spreadsheet, etc.Data leakage is difficult to eradicate entirely. That being said, to minimize the risks that are unique to their operation, organisation’s should:

• Classify data in line with recognized industry standards (PII, commercial data, product information), in order to assign varying risk levels across the board.
• Closely monitor known data channels that are heavily utilised and prone to leakage (e.g. emails, internal and external file transfers, USB devices).
• Take proactive measures to prevent data from being leaked (e.g. robust file permissions and adequate authorization techniques).
• Restrict a user’s ability to copy and paste data (where applicable) to and from specific platforms and systems.
• Require authorization from the data owner prior to any mass exports being carried out.
• Consider managing or preventing users from taking screenshots or photographing monitors that display protected data types.
• Encrypt backups that contain sensitive information.
• Formulate gateway security measures and leakage prevention measures that safeguard against external factors such as (but not limited to) industrial espionage, sabotage, commercial interference, and/or IP theft.

Data leakage prevention is linked to numerous other ISO security guidelines that seek to safeguard information and data across an organisation’s network, including Access Control measures and secure document management Organisations should consider using dedicated data leakage tools and utility programs that:

• Work in tandem with the organisation’s approach to data classification, and identify the potential for leakage within high-risk data types.
• Detect and proactively alert upon the transfer and/or disclosure of data, especially to unauthorised systems, file sharing platforms or applications.
• Recognize the risks inherent within certain data transfer methods (e.g. copying financial information from a database into a spreadsheet).
• Data leakage prevention tools are intrusive by their very nature, and should be implemented and managed in accordance with any regulatory requirements or legislation that deals with user privacy.

Data leaks occur when sensitive data is accidentally exposed publicly, either physically or digitally. Common causes of data leaks include:

• Misconfigured software settings
• Social engineering
• Recycled or weak passwords
• Physical theft/loss of sensitive devices
• Software vulnerabilities
• Insider threats

There are four major categories of data leaks – customer information, company information, trade secrets, and analytics.

1. Customer Information: Some of the biggest data breaches included customer data leaks that involved Personal Identifiable information. Customer data is unique to each company. Customer confidential information could include any of the following:

• Customer names
• Addresses
• Phone number
• Email addresses
• Usernames
• Passwords
• Social Security numbers
• Payments histories
• Product browsing habits
• Credit Card numbers

2. Company Information: Leaked company information exposes sensitive internal activity. Such data leaks tend to be in the cross hairs of unscrupulous businesses pursuing the marketing plans of their competitors. Company data leaks could include the following:

• Internal communications
• Performance metrics
• Marketing strategies

3. Trade Secrets: This is the most dangerous form of data leak to a business. Intellectual property theft destroys a business’s growth potential, running it to the ground. Trade secret leakage could include the following types of data:

• Upcoming product plans
• Software coding
• Proprietary technology information

4. Analytics: Large data sets feed analytics dashboards, and cyber criminals are drawn to any sizable pool of data. Analytics software is, therefore, an attack vector that needs to be monitored. Analytics data leaks could include the following:

• Customer behavior data
• Psychographic data
• Modeled data

The following data security practices could prevent data leaks and minimize the chances of data breaches.

1.Evaluate the Risk of Third Parties: Unfortunately, your vendors may not take cybersecurity as seriously as you do. It’s important to keep evaluating the security posture of all vendors to ensure they’re not at risk of suffering data leaks through critical security vulnerabilities. Vendor risk assessments are a common method of identifying third-party security risks and ensuring compliance with regulatory standards,

2. Monitor all Network Access: The more corporate network traffic being monitored, the higher the chances of identifying suspicious activity. Cyber attacks are usually preceded by reconnaissance campaigns – cyber criminals need to identify the specific defenses that need circumventing during an attack. Data leak prevention solutions empower organizations to identify and strengthen security vulnerabilities to prevent the possibility of reconnaissance campaigns. Information security policies may need to be revised to enforce privileged access to highly sensitive data.

3. Identify All Sensitive Data: Data Leakage Prevention should be front of mind for organizations looking to enhance their Information security strategies. Before Data Leakage Prevention policies can be initiated, businesses need to identify all of the sensitive data that needs to be secured. This data then needs to be correctly classified in line with strict security policies. With correct sensitive data discovery and classification, a business can tailor the most efficient data leak prevention defenses for each data category.

4. Secure All Endpoints: An endpoint is any remote access point that communicates with a business network via end-users or autonomously. This includes Internet of Things (IoT) devices, desktop computers, and mobile devices. With most organizations now adopting some form of a remote working model, endpoints have become dispersed (sometimes even internationally), making them harder to secure. Organizations must extend their coverage to cloud-based endpoint security. Organizations need to train their staff to recognize the trickery of cyberattackers, particularly email phishing and social engineering attacks. Education is a very powerful data leakage prevention solution. Securing endpoints is a fundamental component of Data Leakage Prevention .

5. Implement Data Loss Prevention (DLP) Software
Data loss prevention (DLP) is an overarching data protection strategy that should include data leak prevention as a core component. An effective DLP system combines processes and technology to ensure sensitive data is not lost, misused, or exposed to unauthorized users. Below are the six components of a DLP program requiring DLP solutions:

• Data identification: Many organizations leverage automation techniques, such as machine learning and artificial intelligence (AI), to streamline the data identification process.
• Securing data in motion: Deploy DLP software at the network edge to detect sensitive data transfers violating data loss prevention policies.
• Securing endpoints: Endpoint DLP agents can monitor user behavior in real-time and control data transfers between specified parties, e.g., through instant messaging apps.
• Securing data at rest: DLP products can enforce access control, regulatory compliance requirements, encryption algorithms, and data storage policies to protect archived data.
• Secure data in use: Comprehensive DLP tools can monitor and flag unauthorized user behavior, e.g., unauthorized privilege escalation on an app.
• Data leak detection: If data leak prevention strategies fall through, fast remediation is crucial to avoiding a data breach. Effective data leak detection tools can scan the open and deep web for data exposures, including S3 buckets and GitHub repositories, enabling faster removal of potential breach vectors.

6) Encrypt All Data: Cyber criminals may find it difficult to exploit data leaks if the data is encrypted. There are two main categories of data encryption – Symmetric-Key Encryption and Public-Key Encryption.While encrypted data may stump amateur hackers, capable cyber attackers could decrypt the data without a decryption key. For this reason, data encryption shouldn’t be the sole data leak prevention tactic but should be used alongside all the methods in this list.

7) Evaluate All Permissions: Your confidential data could currently be accessed by users that don’t require it. As an initial response, all permissions should be evaluated to ensure access isn’t being granted to authorized parties. Once this has been verified, all critical data should be categorized into different levels of sensitivity to control access to different pools of data. Only trustworthy staff with essential requirements should have access to highly sensitive data.This privileged access assignment process may also identify malicious insiders facilitating sensitive data exfiltration.

8) Monitor the Security Posture of All Vendors: Sending risk assessments will prompt vendors to strengthen their cyber security efforts, but without a monitoring solution, remediation efforts cannot be confirmed. Security scoring is a highly efficient way of evaluating a vendor’s susceptibility to data breaches. These monitoring solutions display all vendors in the third-party network alongside their security rating, giving organizations instant transparency into the health status of their entire vendor network.

Data masking is a technique used to protect sensitive data – usually any data that could be deemed personally identifiable information (PII) – over and above an organisation’s standard information security protocols such as access control etc. Data masking, also known as data obfuscation, hides the actual data using modified content like characters or numbers.The main objective of data masking is creating an alternate version of data that cannot be easily identifiable or reverse engineered, protecting data classified as sensitive. Importantly, the data will be consistent across multiple databases, and the usability will remain unchanged It is a method of creating a structurally similar but inauthentic version of an organization’s data that can be used for purposes such as software testing and user training. The purpose is to protect the actual data while having a functional substitute for occasions when the real data is not required..Data masking is often mentioned in legal, statutory and regulatory guidelines and laws governing the storage and access of employee, customer, user and vendor information.Data masking generally applies to non-production environments, such as software development and testing, user training, etc.—areas that do not need actual data.

Although most organizations have stringent security controls in place to protect production data in storage and in business use, sometimes that same data element has been used for operations that are less secure. The issue is often compounded if these operations are outsourced and the organization has less control over the environment. In the wake of compliance legislation, most organizations are no longer comfortable exposing real data unnecessarily. Data masking substitutes original values in a data set with randomized data using various data shuffling and manipulation techniques. The obfuscated data maintains the unique characteristics of the original data so that it yields the same results as the original data set.Data masking is a complex technical process that involves altering sensitive information, and preventing users from identifying data subjects through a variety of measures.Whilst this is itself an administrative task, the nature of data masking is directly related to an organisation’s ability to remain compliant with laws, regulations and statutory guidelines concerning the storage, access and processing of data. As such, ownership should reside with the Chief Information Security Officer, or organisational equivalent.

Control

Data masking should be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Purpose

To limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements.

ISO 27002 Implementation Guidance

Where the protection of sensitive data (e.g. PII) is a concern, the organization should consider hiding such data by using techniques such as data masking, pseudonymization or anonymization. Pseudonymization or anonymization techniques can hide PII, disguise the true identity of PII principals or other sensitive information, and disconnect the link between PII and the identity of the PII principal or the link between other sensitive information. When using pseudonymization or anonymization techniques, it should be verified that data has been adequately pseudonymized or anonymized. Data anonymization should consider all the elements of the sensitive information to be effective. As an example, if not considered properly, a person can be identified even if the data that can directly identify that person is anonymised, by the presence of further data which allows the person to be identified indirectly. Additional techniques for data masking include:

1. encryption (requiring authorized users to have a key);
2. nulling or deleting characters (preventing unauthorized users from seeing full messages);
3. varying numbers and dates;
4. substitution (changing one value for another to hide sensitive data);
5. replacing values with their hash.

The following should be considered when implementing data masking techniques:
a) not granting all users access to all data, therefore designing queries and masks in order to show only the minimum required data to the user;
b) there are cases where some data should not be visible to the user for some records out of a set of data; in this case, designing and implementing a mechanism for obfuscation of data (e.g. if a patient does not want hospital staff to be able to see all of their records, even in case of emergency, then the hospital staff are presented with partially obfuscated data and data can only be accessed by staff with specific roles if it contains useful information for appropriate treatment);
c) when data are obfuscated, giving the PII principal the possibility to require that users cannot see if the data are obfuscated (obfuscation of the obfuscation; this is used in health facilities, for example if the patient does not want personnel to see that sensitive information such as pregnancies or results of blood exams has been obfuscated);
d) any legal or regulatory requirements (e.g. requiring the masking of payment cards’ information during processing or storage).
The following should be considered when using data masking, pseudonymization or anonymization:
a) level of strength of data masking, pseudonymization or anonymization according to the usage of the processed data;
b) access controls to the processed data;
c) agreements or restrictions on usage of the processed data;
d) prohibiting collating the processed data with other information in order to identify the PII principal;
e) keeping track of providing and receiving the processed data.

Other information

Anonymization irreversibly alters PII in such a way that the PII principal can no longer be identified directly or indirectly. Pseudonymization replaces the identifying information with an alias. Knowledge of the algorithm(sometimes referred to as the “additional information”) used to perform the pseudonymization allows for at least some form of identification of the PII principal. Such “additional information” should therefore be kept separate and protected. While pseudonymization is therefore weaker than anonymization, pseudonymized datasets can be more useful in statistical research. Data masking is a set of techniques to conceal, substitute or obfuscate sensitive data items. Data masking can be static (when data items are masked in the original database), dynamic (using automation and rules to secure data in real-time) or on-the-fly (with data masked in an application’s memory). Hash functions can be used in order to anonymize PII. In order to prevent enumeration attacks, they should always be combined with a salt function. PII in resource identifiers and their attributes [e.g. file names, uniform resource locators (URLs)] should be either avoided or appropriately anonymized. Additional controls concerning the protection of PII in public clouds are given in ISO/IEC 27018.Additional information on de-identification techniques is available in ISO/IEC 20889.

Data masking, which is also called data sanitization, keeps sensitive information private by making it unrecognizable but still usable. This lets developers, researchers and analysts use a data set without exposing the data to any risk.Data masking is different from encryption. Encrypted data can be decrypted and returned to its original state with the correct encryption key. With masked data, there is no algorithm to recover the original values. Masking generates a characteristically accurate but fictitious version of a data set that has zero value to hackers. It also cannot be reverse engineered, and statistical outputs cannot be used to identify individuals. Like data encryption, not every data field needs to be masked, although some fields must be completely hidden.

The organisations can consider data masking through the scope of two main techniques – pseudonymisation and/or anonymisation. Anonymisation is the process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified. An individual may be directly identified from their name, address, postcode, telephone number, photograph or image, or some other unique personal characteristic. An individual may be indirectly identifiable when certain information is linked together with other sources of information, including, their place of work, job title, salary, their postcode or even the fact that they have a particular diagnosis or condition. Once data is truly anonymised and individuals are no longer identifiable,Pseudonymisation is the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual. Both of these methods are designed to disguise the true purpose of PII through disassociation – i.e. hiding the link between the raw data, and the subject (usually a person). Organisations should take great care to ensure that no single piece of data compromises the subject’s identity. When using either of these techniques, organisations should consider: The level of pseudonymisation and/or anonymisation required, relative to the nature of the data.

• How the masked data is being accessed.
• Any binding agreements that restrict use of the data to be masked.
• Keeping the masked data separate from any other data types, in order to prevent the data subject being easily identified.
• Logging when the data was received, and how it has been provided to any internal or external sources.

Pseudonymisation and anonymisation aren’t the only methods available to organisations looking to mask PII or sensitive data.The other methods that can be used to bolster data security:

• Key-based encryption.
• Voiding or deleting characters within the dataset.
• Varying numbers and dates.
• Replacing values across the data.
• Hash-based value masking.

Data masking is an important part of an organisation’s policy towards protecting PII and safeguarding the identity of the individuals whom it holds data on. As well as the above techniques, organisations should consider the below suggestions when strategising their approach to data masking:

• Implement masking techniques that only reveal the minimum amount of data to anyone who uses it.
• ‘Obfuscating’ (hiding) certain pieces of data at the request of the subject, and only allowing certain members of staff to access the sections that are relevant to them.
• Building their data masking operation around specific legal and regulatory guidelines.
• Where pseudonymisation is implemented, the algorithm that is used to ‘de-mask’ the data is kept safe and secure.

Types of data masking

There are several types of data masking types you can depending on your use case. Of the many, static and on-the-fly data masking are the most common.

1.Static data masking (SDM):Static data masking generally works on a copy of a production database. SDM changes data to look accurate in order to develop, test, and train accurately—without revealing the actual data. The process goes like this:

• Take a backup or a golden copy of the production database to a different environment.
• Remove any unnecessary data, and mask it while in stasis.
• Save the masked copy to the desired location.

2) Dynamic data masking (DDM): DDM happens dynamically at run time and streams data directly from a production system so that masked data will not need to be saved in another database. It is primarily used for processing role-based security for applications, such as processing customer inquiries and handling medical records. Thus, DDM applies to read-only scenarios to prevent writing the masked data back to the production system.

3) Deterministic data masking: Deterministic data masking involves replacing column data with the same value. For example, if there is a first name column in your databases that consists of multiple tables, there could be many tables with the first name. If you mask ‘Ali’ to ‘Helen,’ it should show you as ‘Helen’ not only in the masked table but also in all associated tables. Whenever you run the masking, it will give you the same result.

4) On-the-fly data masking: On-the-fly data masking occurs when data transfers from production environments to another environment, like test or development. On-the-fly data masking is ideal for organizations that:

• Deploy software continuously
• Have heavy integrations
• Because it is challenging to keep a backup copy of masked data continuously, this process will send only a subset of masked data when needed.

5) Statistical data obfuscation: The production data can hold different statistical information, which statistical data obscuration techniques can masquerade. Differential privacy is one technique where you can share information about patterns in a data set without revealing information about the actual individuals in the data set.

Data masking techniques

A variety of data management techniques can be used to mask or anonymize PII and other private and sensitive data depending on the data type. These masking methods include the following:

1. Scrambling:Scrambling randomly reorders alphanumeric characters to obscure the original content. For example, a customer complaint ticket number of 3429871 in a production environment could appear as 8840162 in a test environment after being scrambled. Although scrambling is easy to implement, it only works on certain types of data. Data obfuscated this way is not as secure as other techniques.
2. Substitution:This technique replaces the original data with another value from a supply of credible values. Lookup tables are often used to provide alternative values to the original, sensitive data. The values must pass rule constraints and preserve the original characteristics of the data. It is harder to apply substitution than scrambling, but it can be applied to several data types and provides good security. For example, credit card numbers can be substituted with numbers that pass card provider validation rules.
3. Shuffling:Values within a column, such as user surnames, are shuffled to randomly reorder them. For example, if customer surnames are shuffled, the results look accurate but won’t reveal any personal information. However, it is essential that the shuffling masking algorithm is kept secure so it cannot be used to reverse-engineer the data masking process.
4. Date aging: This method increases or decreases a date field by a specific date range. Again, the range value used must be kept secure.
5. Variance: A variance is applied to a number or date field. This approach is often used for masking financial and transaction value and date information. The variance algorithm modifies each number or date in a column by a random percentage of its real value. For instance, a column of employees’ salaries could have a variance of plus or minus 5% applied to it. This would provide a reasonable disguise for the data while maintaining the range and distribution of salaries within existing limits.
6. Masking out:Masking out only scrambles part of a value and is commonly applied to credit card numbers where only the last four digits remain visible.
7. Nullifying:Nullifying replaces the real values in a data column with a null value, completely removing the data from view. Although this sort of deletion is simple to implement, the nullified column cannot be used in queries or analysis. As a result, it can degrade the integrity and quality of the data set for development and testing environments.

Data masking best practices

1. Identify the sensitive data: Before masking any data, identify and catalog the:

• Sensitive data location(s)
• Authorized person(s) who can view them
• Their usage

Every single data element of a company does not need masking. Instead, thoroughly identify the existing sensitive data in both production and non-production environments. Depending on the complexity of data and the organizational structure, this may require a significant amount of time.

2. Define your stack of data masking techniques: It is not practical for large organizations to use only a single masking tool across the entire enterprise since data varies greatly. Plus, the technique you choose may require you to comply with specific internal security policies or meet budgetary requirements. In some cases, you may have to develop your masking technique. So, consider all these necessary factors to choose the right set of techniques. Keep them in sync to ensure the same type of data uses the same technique to preserve referential integrity.

3. Secure your data masking techniques: Masking techniques and associated data are as critical as sensitive data. For example, the substitution technique can use a lookup file for substitution. If this lookup file falls into the wrong hands, they can reveal the original data set. Organizations should establish the required guidelines to allow only authorized persons to access the masking algorithms.

4. Make masking repeatable: Over time, changes to an organization or a particular project or product can result in changes to the data. Avoid starting from square one each time. Instead, make masking a process that is repeatable, quick, and automatic, so you can implement them when changes to the sensitive data occur.

5. Define an end-to-end data masking process: Organizations must have an end-to-end process that includes:

6. Identifying sensitive information

• Applying the appropriate data masking technique
• Continuously auditing to ensure data masking is working as expected

A fundamental principle of Information security is that information that is not necessary for the business should not be kept. This principle is known as data minimization, and it is meant to protect against unnecessary and disproportionate harm in the event of a security breach. The most common method is to enact and enforce Information retention and deletion policies across an organization This addresses deletion of Information when no longer needed or when storage times exceed documented retention periods. The intent is to control the potential for leakage of sensitive data and to comply with any relevant privacy and other requirements. Deletions could include data in IT systems, removable media, or cloud services. Information should be deleted when it is no longer needed for authorized purposes. The period of time that information remains necessary for authorized purposes, however, is not standardized across organizations, industries, or operations. Determining the appropriate time period requires an underlying knowledge of the information a company has, how that is classified (for example, if it includes personal information), how that information is used in the business, and any laws applicable to its retention. The most common means of determining this time period is through the process of developing and documenting information retention policies and schedules. A information retention policy is a corporate policy that goes beyond statutory legal requirements, and directs operations about which information the company should retain, delete, or retain for a period and then delete. For information that is permitted under policy to be retained for a given period of time and then must be deleted, the retention period is generally documented in a retention schedule. Both the policy and the schedule should reflect the types of information the company has, the laws applicable to its retention, and the risk position of the company.

Control

Information stored in information systems, devices or in any other storage media should be deleted when no longer required.

Purpose

To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.

ISO 27002 Implementation Guidance

General
Sensitive information should not be kept for longer than it is required to reduce the risk of undesirable disclosure. When deleting information on systems, applications and services, the following should be considered:

1. selecting a deletion method (e.g. electronic overwriting or cryptographic erasure) in accordance with business requirements and taking into consideration relevant laws and regulations;
2. recording the results of deletion as evidence;
3. when using service suppliers of information deletion, obtaining evidence of information deletion from them.

Where third parties store the organization’s information on its behalf, the organization should consider the inclusion of requirements on information deletion into the third-party agreements to enforce it during and upon termination of such services.
Deletion methods
In accordance with the organization’s topic-specific policy on data retention and taking into consideration relevant legislation and regulations, sensitive information should be deleted when no longer required, by:

1. configuring systems to securely destroy information when no longer required (e.g. after a defined period subject to the topic-specific policy on data retention or by subject access request);
2. deleting obsolete versions, copies and temporary files wherever they are located;
3. using approved, secure deletion software to permanently delete information to help ensure information cannot be recovered by using specialist recovery or forensic tools;
4. using approved, certified providers of secure disposal services;
5. using disposal mechanisms appropriate for the type of storage media being disposed of (e.g. degaussing hard disk drives and other magnetic storage media).

Where cloud services are used, the organization should verify if the deletion method provided by the cloud service provider is acceptable, and if it is the case, the organization should use it, or request that the cloud service provider delete the information. These deletion processes should be automated in accordance with topic-specific policies, when available and applicable. Depending on the sensitivity of information deleted, logs can track or verify that these deletion processes have happened. To avoid the unintentional exposure of sensitive information when equipment is being sent back to vendors, sensitive information should be protected by removing auxiliary storage (e.g. hard disk drives) and memory before equipment leaves the organization’s premises. Considering that the secure deletion of some devices (e.g. smartphones) can only be achieved through destruction or using the functions embedded in these devices (e.g. “restore factory settings”), the organization should choose the appropriate method according to the classification of information handled by such devices. Control measures described in clause for Secure disposal or re-use of equipment should be applied to physically destroy the storage device and simultaneously delete the information it contains. An official record of information deletion is useful when analyzing the cause of a possible information leakage event.

There are a variety of methods for deleting data. These methods vary in effectiveness, from simply pressing the Delete button on a personal computer to manual destruction of the media on which the data is stored. The best method of data deletion can be determined based on the type and nature of the data and the risk associated with its exposure. As well as managing the ongoing use of data and information on internal servers and storage devices (HDDs, arrays, USB drives etc.), organisation’s need to be acutely aware of their obligations towards removing and deleting any data held on employees, users, customers or organisations when it is reasonably necessary to do so (usually when it is no longer needed).It can sometimes be difficult to ascertain when data should be deleted. As a general rule, organisations are to delete data when it is no longer required, in order to minimize what is referred to as undesirable disclosure – i.e. data being viewed by, or passed on to, individuals and organisations that are not authorized to access it. In accordance with this guideline, when the time comes to delete data, organisations should:

• Opt for an appropriate deletion method that fulfils any prevailing laws or regulations. Techniques include standard deletion, overwriting or encrypted deletion.
• Log the results of the deletion for future reference.
• Ensure that, if a specialised deletion vendor is used, the organisation obtains adequate proof (usually via documentation) that the deletion has been carried out.
• If a third-party vendor is being used, organisations should stipulate their precise requirements, including deletion methods and timescales, and ensure that deletion activities are covered under a binding agreement.

When formulating a deletion process, organisations should:

• Configure internal systems to delete data and information in accordance with the organisation’s topic-specific policy on retention.
• Ensure that deletion extends to temporary files, cached information, copies of data and legacy versions.
• Consider using specialized deletion utility applications to minimize risk.
• Only contract out to certified, verifiable deletion specialists, if the need arises to use a third-part service.
• Implement physical deletion measures that are appropriate to the device in question (e.g. degaussing magnetic storage media, restoring factory settings on a smartphone or physical destruction).
• Ensure that cloud service providers are aligned with the organisation’s own deletion requirements (as far as is possible).

When shipping equipment (notably servers and workstations) to vendors, organisations should remove any internal or external storage devices before doing so. There should be full traceability and record keeping to evidence which information assets have been destroyed and how. For physical drives this may include recording the serial numbers of the hard drives, however it should be considered that serial numbers alone may not be enough to maintain a complete audit trail of the data. When using service suppliers for information deletion it is important to obtain evidence of information deletion from them, and conduct enough due diligence to be satisfied that the process has been completed effectively.An official record of information deletion is useful when analyzing the cause of a possible information leakage event.

Businesses must only keep personal data as long as necessary and only for the purposes they have specified. To manage this legal obligation successfully, you’ll need to start with an up-to-date data retention policy and schedule. These should clearly identify which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances you might need to hold it for longer. These are the 5 key steps when an agreed retention period (as shown on your retention schedule) is reached.

• Identify the relevant records which have reached their retention period
• Notify the relevant business owner to confirm they are no longer needed
• Consider any changes in circumstances which may require longer retention of the data
• Make a decision on what happens to the data
• Document the decision and keep evidence of the action

There are different approaches an organisation can take when the data retention period is reached, such as:

• Delete it – usually the default option
• Anonymise it
• Securely destroy it – for physical records, such as HR files
• Deletion of records might seem the obvious choice, and it’s often the best one too.

But take care how you delete data. Sometimes deleting whole records can affect key processes on your systems such as reporting, algorithms and other programs. There are software methods of deleting data, which may involve removing whole records from a dataset or overwriting them. For example, using of zeros and ones to overwrite the personal identifiers in the data. Once the personal identifiers are overwritten, that data will be rendered unrecoverable, and therefore it’s no longer classed as personal data. This deletion process should include backup copies of data. Whilst personal data may be instantly deleted from live systems, personal data may still remain within the backup environment, until it is overwritten. If the backup data cannot be immediately overwritten it must be put ‘beyond use’, i.e. you must make sure the data is not used for any other purpose and is simply held on your systems until it’s replaced, in line with an established schedule. Destruction is the final action for about 95% of most organisations’ physical records. Physical destruction may include shredding, pulping or burning paper records. Destruction is likely to be the best course of action for physical records when the organisation no longer needs to keep the data, and when it does not need to hold data in an anonymised format. Controllers are accountable for the way personal data is processed and consequently, the disposal decision should be documented in a disposal schedule. Many organisations use other organisations to manage their disposal or destruction of physical records. There are benefits of using third parties, such as reducing in-house storage costs. Remember, third parties providing this kind of service will be regarded as a data processor, therefore you’ll need to make sure an appropriate contract is in place which includes the usual data protection clauses. Destruction may be carried out remotely following an agreed process. For instance, a processor might provide regular notifications of batches due to be destroyed in line with documented retention periods. Retention periods will also apply to unstructured data which contains personal identifiers. The most common being electronic communications records such emails, instant messages, call recordings and so on. As you can imagine, unstructured data records present some real challenges. You’ll need to be able to review the records to find any personal data stored there, so it can be deleted in line with your retention schedules, or for an erasure request. Depending on the size of your organisation, you may need to use specialist software tools to perform content analysis of unstructured data.

Configuration Management is the process of maintaining systems, such as computer hardware and software, in a desired state. Configuration Management is also a method of ensuring that systems perform in a manner consistent with expectations over time.s a governance and systems engineering process used to track and control IT resources and services across an enterprise.Configuration Management helps prevent undocumented changes from working their way into the environment. By doing so, CM can help prevent performance issues, system inconsistencies, or compliance issues that can lead to regulatory fines and penalties. Over time, these undocumented changes can lead to system downtime, instability, or failure. When properly implemented, configuration management ensures that an organization knows how its technology assets are configured and how those items relate to one another.Configuration management ensure hardware, software, services, and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.The control is regarding configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime. Roles, responsibilities, and procedures should be in place to ensure satisfactory control of all configuration changes.

Utilizing a Configuration Management system helps avoid problems that occur when hardware and software systems are improperly configured. Simply tracking changes can help avoid expensive remediation projects down the road. CM is insurance you pay for today so you can prevent issues tomorrow. For example, Configuration Management helps ensure the development, test, and production environments are the same, so that deployed applications will behave in the manner that is expected of them.When problems do occur, CM can re-create the environment where an error occurred, or can replicate an environment to ease scaling and migration of workloads either on-premises or between clouds.Configuration Management tools use scripting to automate these administrative tasks, and enable rapid provisioning of servers, VMs and containers to the desired state in minutes, rather than days or weeks. A Configuration management system allows the enterprise to define settings in a consistent manner, then to build and maintain them according to the established baselines. A configuration management plan should include a number of tools that:

• Enable classification and management of systems in groups
• Make centralized modifications to baseline configurations
• Push changes automatically to all affected systems to automate updates and patching
• Identify problem configurations that are underperforming or non-compliant
• Automate prioritization of actions needed to remediate issues
• Apply remediation when needed.

The configuration management process begins with gathering information including configuration data from each application and the network topology. Secrets such as encryption keys and passwords should be identified so they can be encrypted and stored safely. Once collected, configuration data should be loaded into files that become the central repository of the desired state – the single version of the truth. Once data has been collected the organization can establish a baseline configuration, which should be a known good configuration that can perform its intended operations without bugs or errors. Typically this baseline is established by noting the configuration of the working production environment and storing those configuration settings as the baseline. When the baseline has been established, the organization should adopt a version control system. Many organizations utilize Git to create a repository of configuration data for this purpose. Auditing and accounting help to ensure that any changes that are applied to the configuration are reviewed by stakeholders and accepted, ensuring accountability and visibility into configuration changes.

Control

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Purpose

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

ISO 27002 Implementation Guidance

General
The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime. Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes.
Standard templates
Standard templates for the secure configuration of hardware, software, services and networks should be defined:

1. using publicly available guidance (e.g. pre-defined templates from vendors and from independent security organizations);
2. considering the level of protection needed in order to determine a sufficient level of security;
3. supporting the organization’s information security policy, topic-specific policies, standards and other security requirements;
4. considering the feasibility and applicability of security configurations in the organization’s context.

The templates should be reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced. The following should be considered for establishing standard templates for the secure configuration of hardware, software, services and networks:

1. minimizing the number of identities with privileged or administrator level access rights;
2. disabling unnecessary, unused or insecure identities;
3. disabling or restricting unnecessary functions and services;
4. restricting access to powerful utility programs and host parameter settings;
5. synchronizing clocks;
6. changing vendor default authentication information such as default passwords immediately after installation and reviewing other important default security-related parameters;
7. invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity;
8. verifying that licence requirements have been met

Managing configurations
Established configurations of hardware, software, services and networks should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates. Changes to configurations should follow the change management process . Configuration records can contain as relevant:
a) up-to-date owner or point of contact information for the asset;
b) date of the last change of configuration;
c) version of configuration template;
d) relation to configurations of other assets.

Monitoring configurations
Configurations should be monitored with a comprehensive set of system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths and assess activities performed. Actual configurations can be compared with the defined target templates. Any deviations should be addressed, either by automatic enforcement of the defined target configuration or by manual analysis of the deviation followed by corrective actions.

Other information

Documentation for systems often records details about the configuration of both hardware and software. System hardening is a typical part of configuration management. Configuration management can be integrated with asset management processes and associated tooling. Automation is usually more effective to manage security configuration (e.g. using infrastructure as code). Configuration templates and targets can be confidential information and should be protected from unauthorized access accordingly.

Configurations – whether acting as a single config file, or a group of configurations linked together – are the underlying parameters that govern how hardware, software and even entire networks are managed. As an example, a firewall’s configuration file will hold the baseline attributes that the device uses to manage traffic to and from an organisation’s network, including block lists, port forwarding, virtual LANs and VPN information.Configuration management is an integral part of an organisation’s broader asset management operation. Configurations are key in ensuring that a network is not only operating as it should be, but also in securing devices against unauthorised changes or incorrect amendments on the part of maintenance staff and/or vendors. Established configurations of hardware, software, services, and networks should be recorded, and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as through configuration databases or configuration templates. Configurations should be monitored with a comprehensive set of system management tools (e.g., maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths, and assess activities performed. This control maintains risk by establishing a series of policies that govern how an organisation documents, implements, monitors and reviews the use of configurations across its entire network.

On the whole, organisation’s need to draft and implement configuration management policies for both new systems and hardware, and any that are already in use. Internal controls should include business critical elements such as security configurations, all hardware that holds a configuration file and any relevant software applications or systems. Organisations are to consider all relevant roles and responsibilities when implementing a configuration policy, including the delegated ownership of configurations on a device-by-device, or application-by-application basis.Where possible, organisations should use standardized templates to secure all hardware, software and systems. Templates should:

• Attempt to utilize publicly available, vendor-specific and/or open source guidance on how best to configure hardware and software assets.
• Meet minimum security requirements for the device, application or system that they are applicable to.
• Work in harmony with the organisation’s broader information security efforts, including all relevant ISO controls.
• Keep in mind the organisation’s unique business requirements – especially where security configurations are concerned – including how feasible it is to apply or manage a template at any given time.
• Be reviewed at appropriate intervals in order to cater for system and/or hardware updates, or any prevailing security threats.

Security is paramount when applying configuration templates, or amending existing templates in line with the above guidance.When considering standard templates for use across the organisation, in order to minimize any information security risks organisations should:

• Keep the number of users with administrator privileges to a minimum.
• Disable any unused or unnecessary identities.
• Closely monitor access to maintenance programs, utility applications and internal settings.
• Ensure that clocks are synchronised in order to log configuration correctly, and assist in any future investigations.
• Immediately change any default passwords or default security settings that are supplied with any device, service or application.
• Implement a default logoff period for any devices, systems or applications that have been left dormant for a specified period of time.
• Ensure that all licensing requirements have been met .

An organisation has a responsibility to maintain and store configurations, including keeping an audit trail of any amendments or new installations, in line with a published change management process.Logs should contain information that outlines:

• Who owns the asset.
• A timestamp for the latest configuration change.
• The current version of the configuration template.
• Any relevant information that explains the assets relationship with configurations held on other devices or systems.

Organisations should deploy a wide range of techniques to monitor the operation of configuration files across their network, including:

• Automation.
• Specialized configuration maintenance programs.
• Remote support tools that auto-populate configuration information on a device-by-device basis.
• Enterprise device and software management utilities that are designed to monitor large amounts of configuration data at once.
• BUDR software that automatically backs up configurations to a secure location, and restores templates either remotely or onsite to compromised and/or malfunctioning devices.

Organisations should configure specialized software to track any changes in a device’s configuration, and take appropriate action to address the amendment as soon as possible, either by validating the change or reverting the configuration back to its original state.

Whether intentional or unintentional, changes are commonplace in IT infrastructures. Managers deploy and install software updates, end users or administrators change configuration settings intentionally or unintentionally, managers introduce new applications and systems with vigor … and so on. When such decisions are made in haste, security considerations are often “left out of the equation.” As a result, implementations are made quickly and without regard to change/release processes in order to meet deadlines and schedules.Even if IT systems have defined settings during the initial installation, deviations occur over time. It is usually difficult to keep track of the changes that lead to a configuration deviation via standard measures such as the widely used group policies. As a result, a management tool that provides a comprehensive and transparent overview becomes necessary. This allows an IT department to effectively monitor the situation and also take appropriate action if necessary. The best way to deal with configuration deviations is to strictly organize configuration management. In addition to this organizational measure, it is also imperative to technically monitor the actual, implemented configuration. The combination of regular and effective monitoring at the technical and process levels helps to create comprehensive security awareness and to keep the IT infrastructure under control. Another plus point is that evidence for internal and external audits is generated almost as a side effect. The best way to detect and, in the best case, prevent configuration deviations of IT systems consists of a multi-stage process.

1. Identify: The initial configuration must be clear. Often, compliance departments and/or information security officers know existing internal and external security requirements. Existing industry standards and vendor recommendations also help in the evaluation.
2. Evaluate, develop and adapt: Are existing IT systems configured to meet the specifications of internal and external recommendations and requirements? What differences exist? Which systems deviate – regularly, if necessary – from the specifications? On the basis of stringent reporting, it is possible to develop and also implement a standardized, proprietary (hardening) configuration.
3. Control: During the lifetime of IT systems, which can be several years, continuous – ideally automated – monitoring is necessary. This enables deviations in the configuration to be detected. Questions to be asked here could be the following:
   • Does monitoring of all IT systems take place after implementation?
   • Are configuration deviations visualized transparently so that a rapid response is possible?
   • Does “automated self-healing” take place under certain circumstances?
4. Establish processes: If deviations are detected, appropriate measures must be taken as quickly as possible. While this usually works on demand in small companies, larger companies with a strong separation of responsibilities need established and tested processes! For example, these things need to be clarified:
   • How can a configuration deviation be detected?
   • How quickly is the configuration deviation corrected?
   • To which person or persons do you report the deviations?
   • What do the regular reports look like?

Configuration Management is not an end in itself, but an important IT measure. One that ensures that a stringent and standardized hardening of IT systems is performed and controlled. System hardening is known to configure operating systems, applications, cloud solutions and more to better protect them. Data espionage, ransomware attempts and other cyber attacks can be averted in this way or, optimally, fizzle out because the typical attack surfaces have been reduced in size. In order to carry out a system hardening efficiently, a check is required first. This determines the status quo of the system hardening.

The configuration of an IT Asset is a representation of the system’s components, how each component is configured, and how the components are connected or arranged to implement the asset. A misconfiguration may affect the security posture of the asset and infrastructure. The activities involved in managing the configuration process include planning, identification, establishment of the baseline configuration, change control, configuration monitoring and reporting. IT Asset Custodians must inventory, document, monitor and manage IT Assets for which they are responsible. For each asset, the susceptibility to risk or exploit and the required level of protection required to comply with policies and standards must be determined. Risk level is determined by the IT Asset Custodian based on factors including, but not limited to:
• the sensitivity and risk of harm to individuals if the IT Asset or High Risk/Moderate Risk data is subject to a breach or unauthorized disclosure.
• failure or loss of availability of a critical business function.
• loss of productivity or other negative impacts to resources.

IT Asset documentation and risk assessment information shall be made available to the CISO upon request.

CONFIGURATION MANAGEMENT REQUIREMENTS IN INFORMATION SECURITY
IT Asset Custodians must ensure that data is properly protected, and IT Assets are properly hardened, monitored, and managed from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning according to Configuration Management controls.
I] Configuration Management Policy and Procedures
The CISO is responsible for establishing Configuration Management policies and standards that apply to enterprise and distributed IT Assets. Information security manager is responsible for ensuring appropriate configuration management within the organization to ensure the infrastructure is secure and resilient.

II] Configuration Management Plan
Each IT Asset Custodian must develop, document, and implement a Configuration Management Plan for IT Assets that:

• addresses configuration management roles, responsibilities, standards, processes, and procedures.
• establishes a process for identifying configuration items throughout the system development life cycle (SDLC), and ensures they align with established policies, standards, processes, and procedures.
• protects the Configuration Management Plan from unauthorized disclosure and modification.

III] IT Asset Inventory
IT Asset Custodians are responsible for establishing and maintaining an accurate, detailed, and up-to-date inventory of all IT Assets and asset components (devices, applications, operating systems, networks, etc.) connected to the infrastructure (physically, virtually, remotely, within cloud environments, etc.). This includes relevant hardware/software/system specific component information such as Unit, IT Asset Custodian, location, manufacturer, device type, model, serial number, version number, machine name, hardware address and specifications, software license information, software version numbers, etc. IT Asset Custodians must maintain an inventory of IT Assets and IT Asset components:
1) Develop and document an inventory of IT Asset components that

• accurately reflects the current IT Assets for which the IT Asset Custodian is responsible
• includes information necessary to achieve effective infrastructure component accountability and proper management
• is at the level of granularity deemed necessary for tracking and reporting.

2) Review and update the component inventory as an integral part of installation, removal, and updates.
3) Ensure that only currently supported and authorized IT Assets are connected to the infrastructure unless an exception is approved according to the Request for Exception to IT Policy.
4) Employ mechanisms to detect the presence of unauthorized hardware, software, and firmware. The IT Asset Custodian must take action when unauthorized components are detected, such as disabling network access for such components, isolating the components, or notifying authorized points of contact.

IV] Baseline Configurations
Baselines are documented, formally reviewed and agreed-upon sets of specifications that ensure that IT Assets are properly configured and hardened to reduce vulnerabilities. Hardening includes removing superfluous programs, account functions, applications, ports, permissions, access, or other configuration changes to reduce attackers’ ability to gain unauthorized access to the IT environment. Types of hardening activities include application hardening, operating system hardening, server hardening, database hardening and network hardening. Baseline configurations may also be used to create master configuration images (golden images), with required configuration settings already in place. An example of a golden image is a configuration with approved base operating system settings that can be rolled out to all virtual machines/workstations in the unit. Baseline configurations serve as a basis for future builds, releases, and changes to university systems, system components, and networks. IT Asset Custodians are responsible for selecting and tailoring appropriate security control baselines for all IT Assets, based on the criticality and sensitivity of the information to be processed, stored, or transmitted by the system. Baseline configurations must be updated as needed to ensure system upgrades, patches or other significant changes are addressed according to compliance requirements identified by the IT Vulnerability Management Standard. Existing baseline configurations must be reviewed at least annually to ensure they are still applicable.

V] Configuration Change Control
Configuration change control is the documented process for managing and controlling changes to the configuration of a system. Configuration change control includes, but is not limited to:

• changes to Baseline configurations for components and configuration items of IT Assets.
• changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices).
• unscheduled/unauthorized changes.
• changes to remediate vulnerabilities.

IT Asset Custodians must ensure proper configuration change control:

• determine the types of changes to an information system or IT Asset that impact configuration.
• review proposed configuration changes and approve or disapprove with explicit consideration for security impact analysis and document change decisions.
• properly test, validate, and document planned changes prior to implementation of approved changes.
• coordinate and provide oversight for change control activities through a change control entity that convenes regularly.
• Retain previous configurations and records of changes for the life of the system or IT Asset to support audit, incident response and historical information.
• audit and review activities associated with configuration changes to the information system or IT Asset, including audit logs and rollback procedures.

VI] Security Impact Analysis
Each IT Asset Custodian must analyze planned changes to an information system or IT Asset to determine potential security impacts prior to change implementation. Security impact analysis may include reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Analyses are scaled in accordance with the security requirements of the IT Asset. IT Asset Custodians must ensure proper testing of configuration changes. Whenever possible, changes should be tested in a separate environment which is physically or logically isolated from the operational environment. After implementation, implemented changes must be verified to ensure that functions are implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements of the system.

VII] Access Restrictions for Change
IT Asset Custodians must define, document, approve, and enforce physical and logical access restrictions associated with changes to an information system or IT Asset. Only qualified and authorized individuals are provided access to information system components for purposes of initiating changes, including upgrades and modifications. Audit trails or change logs must be maintained to ensure that configuration change control is being implemented as intended and to support periodic audits.

VIII] Configuration Settings
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters include registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for IT Assets. The established settings become part of the configuration Baseline. Each IT Asset Custodian must maintain appropriate configuration settings:

• establish, document, and implement configuration settings for information technology products employed within the information system, that reflect the most restrictive mode consistent with operational requirements.
• identify, document, and approve any deviations from established configuration settings.
• monitor and control changes to configuration settings in accordance with policies

IX] Least Functionality
The principle of least functionality provides that information systems and IT Assets are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that asset. IT Asset Custodians must ensure IT Assets are configured to restrict access through least functionality:

• configure IT Assets to provide only essential capabilities with respect to their relative security. At least annually, review the use of functions, ports, protocols, and services. Identify and disable or eliminate those deemed unnecessary, unused or detrimental to the system or business.
• identify and remove/disable unauthorized and/or non-secure functions, ports, protocols, services, and applications.
• limit component functionality to a single function per device (e.g. database server, web server, etc.), where feasible.
• When a device with elevated security controls is used to access IT Assets in locations deemed to be high risk, predefined security safeguards should be applied prior to joining it to the production network.

X] Software Usage Restrictions
Each IT Asset Custodian must ensure proper management of software:\

• use software (and associated documentation) in accordance with contractual agreements and copyright laws; and track the use of software protected for quantity licenses.
• strictly prohibit the use of peer-to-peer file sharing technology.
• establish, monitor, and enforce policies, standards and compliance governing the installation of software by end users.
• establish restrictions on the use of open-source software (OSS).

XI] User-installed Software
To maintain control over the types of software installed, IT Asset Custodians must identify permitted and prohibited actions regarding software installation. Permitted software installations may include updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. User-installed software must require privileged status.

XII] Incident Reporting
It is the responsibility of each staff, contractor, or visitor to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO)

IT equipment such as servers, laptops, network devices, and printers are vital to many information processing operations such as storage, use, and transfer of information assets. However, if this equipment is not maintained taking into account product specifications and environmental risks, it may degrade in quality and performance. This lack of maintenance may result in the compromise of availability, integrity, and confidentiality of information assets stored on this equipment. For example, if an organisation fails to perform regular maintenance on server hardware, it may not recognize that the disk space is full. This may result in loss of data transmitted to or out of the server. Furthermore, employees or external service providers may gain access to IT equipment as part of the maintenance procedure and this may also present risks to the confidentiality of sensitive information. For instance, an external maintenance service provider may gain access to sensitive information stored on laptops or install malware into devices. The organisation can establish and implement appropriate procedures and measures for the proper maintenance of equipment so that the information assets stored on this equipment are not compromised.

• Maintenance is considered as the set of all actions which have as an objective to retain an item (or the whole system) in, or restore to, a state in which it can perform the required function. The actions include the combination of all technical and related administrative, managerial, and supervisory actions such as tests, measurements, replacements, adjustments
• and repairs. Maintenance is distinguished as:
• Preventive, which aims in retaining the system’s capabilities before the occurrence of any problem (e.g. system failure).
• Corrective, which aims in restoring the defective item(s) to the required state.
• Adaptive, which focus in adjusting an equipment to properly interface with a changing environment.
• Perfective, which refers to enhancements to the product in order to either add new capabilities or modify existing functions.

Control

Equipment should be maintained correctly to ensure availability, integrity and confidentiality of information.

Purpose

To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations caused by lack of maintenance.

ISO 27002 Implementation Guidance

The following guidelines for equipment maintenance should be considered:

1. maintaining equipment in accordance with the supplier’s recommended service frequency and specifications;
2. implementing and monitoring of a maintenance program by the organization;
3. only authorized maintenance personnel carrying out repairs and maintenance on equipment;
4. keeping records of all suspected or actual faults, and of all preventive and corrective maintenance;
5. implementing appropriate controls when equipment is scheduled for maintenance, taking into account whether this maintenance is performed by personnel on site or external to the organization, subjecting the maintenance personnel to a suitable confidentiality agreement;
6. supervising maintenance personnel when carrying out maintenance on site;
7. authorizing and controlling access for remote maintenance;
8. applying security measures for assets off-premises if equipment containing information is taken off premises for maintenance;
9. complying with all maintenance requirements imposed by insurance;
10. before putting equipment back into operation after maintenance, inspecting it to ensure that the equipment has not been tampered with and is functioning properly;
11. applying measures for secure disposal or re-use of equipment if it is determined that equipment is to be disposed of.

Other information

Equipment includes technical components of information processing facilities, uninterruptible power supply (UPS) and batteries, power generators, power alternators and converters, physical intrusion detection systems and alarms, smoke detectors, fire extinguishers, air conditioning and lifts.

The organisations are to put in place necessary technical measures and procedures to carry out proper maintenance activities on equipment used to store information assets.These measures and procedures provide assurance that information assets are not lost or damaged, and they are not exposed to the risk of compromise such as unauthorised access. The organization must create a list of equipment, carrying out a risk assessment based on environmental factors and product specifications and establishing and implementing suitable procedures and measures for proper maintenance.The following are considered equipment :

• Technical components of information processing facilities
• Batteries
• Fire extinguishers
• Lifts
• Power converters
• Air conditioners
• Similar assets

The organization to consider the following specific recommendations:

1. Maintenance procedures should conform to the equipment manufacturer’s specifications such as recommended service frequency.
2. Organisations should establish and apply a maintenance program for all equipment.
3. Only the authorized personnel or third parties should be allowed to perform maintenance activities or repairs on equipment.
4. Organisations should create and maintain a record of all equipment malfunctioning and faults. Furthermore, this record should also include all maintenance activities carried out on equipment.
5. Organisations should apply suitable measures during the performance of maintenance, considering whether the maintenance is performed by an employee or a third-party service provider. Furthermore, the relevant personnel should sign a confidentiality agreement.
6. Personnel performing the maintenance work should be supervised at all times.
7. Remote maintenance work should be subject to strict access and authorization procedures.
8. If equipment is taken out of premises for maintenance work, organisations should apply appropriate security measures.
9. Organisations should adhere to all requirements imposed by insurance providers on how to carry out maintenance.
10. Organisations should inspect equipment that went through maintenance work to ensure that it is not tampered with and functions properly.
11. If the equipment will be disposed of or reused, organisations should establish and implement suitable measures and procedures.

Steps to carry out Maintenance

1) Preparing: Since the Organization may possess information systems and tools purchased from different vendors in a long time period, an efficient record keeping of the systems in hand is essential for maintenance management; hence performing a hardware, software and telecommunications inventory is the first step of an efficient maintenance program. Appropriate maintenance of the records and transaction monitoring result to keeping the information up-to-date, which in turn allows statistical data extraction to be used as input to further consideration about system maintainability, sustainability and related costs. For record keeping, simple techniques like spreadsheets and custom databases may be used; for efficient monitoring of complex systems an integrated Asset Management tool is required. A data preservation survey must be conducted, indicating volumes, importance and retention period of data, which in turn results to decisions about data retention periods, backups and requirements on availability and security. Finally, simple and consistent processes must be defined for issues reporting and restoring activities.

2) Obtain a good and detailed system documentation:A well documented system (covering the entire architecture as well as all of its elements) is very important, especially for software maintenance. Furthermore, an updated documentation, reflecting the changes derived from the maintenance activities, should be provided for future purposes. Good documentation aims in providing structured instead of unstructured maintenance:

• Unstructured maintenance wades straight into the source code and makes changes based on that alone
• Structured maintenance examines and modifies the original design, and then reworks the code to match it

Clearly structured maintenance is a more reliable and (usually) a more efficient process. Unfortunately, it’s not possible without detailed design documentation.

3) Prioritizing needs: Maintenance costs are a significant part of the system’s total life cycle costs. Therefore, revision of the business non-functional requirements (such as availability, performance etc) for each part of the system is essential before any signing a new maintenance contract in order to keep Organization’s costs within affordable barriers.

4) Contracting: Maintenance contracts may be signed with the Equipment providers who supplied the equipment system or third parties who are in possession of the appropriate infrastructure. Increasing the number of contracts and contractors increases complexity and may cause administrative problems; hence it is advisable to review and consolidate maintenance contracts regularly, possibly achieving significant cost reductions as well.

5) Hardware Inventory includes:

• Enterprise level servers, disk storage equipment
• Distributed servers, disk storage and network communications equipment (LAN)
• Local Desktop Devices, Laptops, Cell Phones, PDA’s, etc.
• UPS, Generators, Emergency Power Systems
• Associated Maintenance Agreements
• System Documentation

6) Software Inventory includes:

• Verification of the type of license and transferability (e.g. Master License Agreement, Academic License Agreement, etc)
• Enterprise level commercial-off-the-shelf (COTS) software licenses, installation media and documentation.
• Custom developed software, configuration management libraries & procedures, binary images, documentation and all project related material.
• Distributed COTS software licenses, installation media and documentation
• Local COTS software licenses, installation media and documentation
• Software and Associated Maintenance Agreements
• Transference to New Dept or Local Entity
• System Documentation
• Version Control
• Configuration Management

7) Telecommunications Inventory includes:

• Network Equipment (leased, financed or owned), Maintenance Agreements and Circuits
• PBX, Switches
• Racks and Other Peripherals
• Circuits, Service Providers, Maintenance and Monitoring Contracts
• Point-to-Point Connections
• Impact on internal and external entities if services are terminated

8) Scheduling: Maintenance activities scheduling takes place only for preventive maintenance, which is performed during planned outage periods. Preventive maintenance has the following objectives:

• Keeping equipment and facilities in satisfactory operating condition by providing for systematic inspection, detection, and correction of incipient failures either before they occur or before they develop into major defects.
• Maintenance, including tests, measurements, adjustments, and parts replacement, performed specifically to prevent faults from occurring.

9) Monitoring: Maintenance Activities must be monitored. Related transaction data serve in the calculation of the penalties (if applicable), tracing of the costs etc, whereas statistical data contribute to decisions about system maintainability, sustainability or upgrade needs.

Most modern technologies would not function properly without cables such as fiber, network, or power cables.Cabling is more than just your CAT6e or CAT7 data cabling or your fibre, ISO27001 wants you to also consider power as well. Anything that is carrying data or that is supporting information services needs to be considered and protected from interception, interference, or damage. While cables are essential to the transmission of information assets, and to the provision of information services, they expose risks to the availability and confidentiality of information assets and also to continuity of business operations. These risks may arise from damage to, interception, or interference with these cables. Furthermore, personnel with access to these cables may accidentally cause damage. For example, cyber criminals with access to fiber cables can use simple techniques such as ‘bending the fiber’ to interrupt all network traffic, resulting in the loss of availability of information.Cabling security needs to be considered to reduce risks related to eavesdropping and data theft which is increased if your company uses a cable supplier. Attackers can tap into the cables, interfere with operations or steal data. Controls such as hiding the cables, protecting them in covers, monitoring for interference or using multiple lines for specific high-risk departments. Organisations aims to achieve two distinct purposes:

• Protecting information assets carried via cables against unauthorized access, use, damage, or destruction by implementing appropriate measures;
• Ensuring the continuity of business operations by maintaining the security of cables that carry information assets, power, and electricity.

Control

Cables carrying power, data or supporting information services should be protected from interception, interference or damage.

Purpose

To prevent loss, damage, theft or compromise of information and other associated assets and interruption to the organization’s operations related to power and communications cabling.

ISO 27002 Implementation Guidance

The following guidelines for cabling security should be considered:

1. power and telecommunications lines into information processing facilities being underground where possible, or subject to adequate alternative protection, such as floor cable protector and utility pole; if cables are underground, protecting them from accidental cuts (e.g. with armored conduits or signals of presence);
2. segregating power cables from communications cables to prevent interference;
3. for sensitive or critical systems, further controls to consider include:
   • installation of armored conduit and locked rooms or boxes and alarms at inspection and termination points;
   • use of electromagnetic shielding to protect the cables;
   • periodical technical sweeps and physical inspections to detect unauthorized devices being attached to the cables;
   • controlled access to patch panels and cable rooms (e.g. with mechanical keys or PINs);
   • use of fiber-optic cables;
4. labeling cables at each end with sufficient source and destination details to enable the physical identification and inspection of the cable.

Specialist advice should be sought on how to manage risks arising from cabling incidents or malfunctions.

Other information

Sometimes power and telecommunications cabling are shared resources for more than one organization occupying co-located premises.

Power and telecommunications cabling carrying data or supporting information services needs to be protected from interception, interference or damage. If power and network cables are not sited and protected adequately it is possible that an attacker may be able to intercept or disrupt communications or shut down power provision. Wherever possible, network and power cables should be underground or otherwise protected and separated in order to protect against interference. Depending on the sensitivity or classification of data it may be necessary to separate communications cables for different levels and additionally inspect termination points for authorized devices. The auditor will be visually inspecting the cables and if they are relevant to the level of classification/risk request evidence of visual inspection. Organisations take into account the following four criteria for compliance:

1.Telecommunications and power cables connected to the information processing facilities should be placed underground to the extent it is feasible. Furthermore, cables laid down in the underground should be protected against accidental cuts through suitable techniques such as armored conduits. If placing the cables underground is not possible, organisations can consider implementing alternative protective measures such as floor cable protectors and utility poles.
2. Power and communications cables should be segregated to eliminate the risk of interference.
3. Considering that cables connected to critical information systems present higher risks to the sensitive information assets and to business operations, organisations should consider putting in place the following controls:

• Using armored conduit, installing locked rooms & boxes, and setting up alarm systems both at inspection and terminal points.
• Applying electromagnetic shielding technique to prevent damage to cables.
• Cables should be subject to inspections at regular intervals and to technical sweeps to ensure that no unauthorised device is connected to the cables.
• Establishing access control procedures and measures for access to cable rooms and patch panels.
• Using fibre-optic cables.

4. The source and destination details of each cable should be labelled at both the starting and endpoints of the cable so that the cable can be easily identified and inspected.
Furthermore, organisations are also advised to seek expert advice on how to manage risks that may arise from cable malfunctioning. Last but not the least, organisations should consider the risks related to the use of communications and power cables by more than one organisation when they are on shared premises.

Structured IT cabling is the design and installation of a cabling system that will support multiple hardware uses both today and any additional hardware added in the future. It is the foundation of network infrastructure and enables all data transmission and telephone service done through computer. Every business has some sort of structured cabling network, but they vary in size, organization, and capability. No matter how large your business is, having a seamlessly functional structured cabling network will save you and your employees a lot of trouble. Here are the top 4 reasons that structured cabling networks are critical for IT security.

1. Compliance and Security:IT infrastructure is essentially the nucleus of the organization. It is where servers, switches, routers are located and every piece of hardware (computers, phones, printers, security cameras) is connected to them by various cabling. If these cables are not labeled and organized well it is very difficult to know what they are connected to. It will also be difficult to tell if an unauthorized person has made changes to your physical network. Having photos of cabling network on file for reference so it can be easily to identify changes and potentially identify why someone has made those changes. It is the simplest way to tell if someone is tampering with your network from a physical standpoint.
2. Faster Speeds and Reliability; One of the most important things to any business is network stability and speed. There is nothing more frustrating that being on an important virtual meeting and having latency issues or drop-offs. Having a highly functional structured cabling network enables you and your employees to have trustworthy connection to the internet, and speed with locating important files stored on your network. If you have ever tried searching for a specific file and had to wait an extended period of time for it to be located, you may have some issues with your physical cabling system.
3. More Effective Support and Troubleshooting: Technology by nature is ever changing and evolving and with this comes issues that need to be addressed. If your structured cabling network is poorly installed, organized, or labeled your support team will have a much tougher time identifying the issues you come across. This can lead to longer wait times to getting back to the task at hand, and even the need to reach out to 3rd parties for help.
4. Cost Saving: Your structured cabling network can save you time and money. As we mentioned above, it is the nucleus of your organization and should be invested in on the front end, so you do not have to spend more money down the road to fix or even reinstall the entire network. If your employees are unable to be productive due to latency issues, drop-offs, and lost files you are losing money. If your support team needs to spend twice as much time locating the issue, you are losing money. Time is a resource that transfers directly to cost in the business world.

Power and telecommunications cabling that is in place to support information systems or transfer data should be protected from interception, interference, or damage. Your organization should use clearly identifiable cable markings to minimize potential handling errors, such as the accidental unplugging or movement of incorrect patching or network cables. Physical access to information system distribution and transmission lines should be controlled within your organization’s facilities (e.g., wiring closets, patch panels, network jacks, etc.). Physical network ports throughout your facilities should be disabled when there is not a continuous need for them to be active. Having a live network port outlet (e.g., in the lobby or reception area of your facilities), with no additional technical controls, could potentially provide a hacker or other bad actor direct access into your organization’s networks. Depending on the size of your organization and the number of information systems in use, cabling security controls may require a notable time investment to implement correctly. This is especially true if you are trying to make cables look less like a bowl of fettuccine and more like a well-organized field of corn. It is highly recommended to spend the time that is necessary to ensure cables are labeled and neatly organized to prevent unintentional, unforced errors. A short-term project to address cabling today, will help prevent countless issues tomorrow.

Failure or disruptions of utilities such as electricity, gas, water, or cooling needed for proper and continuous functioning of information processing facilities may result in compromise of information assets or may intercept business continuity. For example, the failure of air conditioning equipment in a data centre may lead to a sudden rise in temperature when the data centre is hit by a heatwave. This may cause servers hosting website and/or customer data to shut down, and thus result in loss of availability of data and disruptions to business operations. Organisations can eliminate risks to the availability and integrity of information assets due to the failure of supporting utilities such as gas, cooling, telecommunications, water, and electricity by putting in place appropriate measures that protect supporting utilities against failures and disruptions such as power outages. Organization must identifying risks to the continuous operations of supporting utilities and implementation of appropriate measures and controls to ensure that availability and integrity of information assets are not affected by failures of these utilities. Your equipment needs to be safeguarded against threats relating to utility failures including power outages from fallen lines or blown transformers or loss of wireless connectivity.These include power outages from fallen lines and blown transformers or loss of wireless connectivity. Most of these incidents will affect the temporary availability of your information systems. Although some threats are genuinely unforeseeable. Consider having a backup plan that involves a generator or dual routing access and power supplies.

Control

Information processing facilities should be protected from power failures and other disruptions caused by failures in supporting utilities.

Purpose

To prevent loss, damage or compromise of information and other associated assets, or interruption to the organization’s operations due to failure and disruption of supporting utilities.

ISO 27002 Implementation Guidance

Organizations depend on utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning) to support their information processing facilities. Therefore, the organization should:
a) ensure equipment supporting the utilities is configured, operated and maintained in accordance with the relevant manufacturer’s specifications;
b) ensure utilities are appraised regularly for their capacity to meet business growth and interactions with other supporting utilities;
c) ensure equipment supporting the utilities is inspected and tested regularly to ensure their proper functioning;
d) if necessary, raise alarms to detect utilities malfunctions;
e) if necessary, ensure utilities have multiple feeds with diverse physical routing;
f) ensure equipment supporting the utilities is on a separate network from the information processing facilities if connected to a network;
g) ensure equipment supporting the utilities is connected to the internet only when needed and only in a secure manner.
Emergency lighting and communications should be provided. Emergency switches and valves to cut off power, water, gas or other utilities should be located near emergency exits or equipment rooms. Emergency contact details should be recorded and available to personnel in the event of an outage.

Other information

Additional redundancy for network connectivity can be obtained by means of multiple routes from more than one utility provider.

Organizations should take the necessary steps to help ensure the potential operational impact associated with supporting utility failures is limited.The clear risk associated with not addressing supporting utility controls is the potential unplanned outages that affect business operations. All supporting utilities, such as electricity, natural gas, water supplies, sewage, and heating ventilation and air conditioning (HVAC), should be adequate for the systems, as well as personnel, they are supporting. Supporting utilities also need to be able to support any new infrastructure devices or other new equipment planned for implementation as your organization grows. A suitable electrical supply should be provided that meets power requirements defined by equipment manufacturers. An uninterruptible power supply (UPS) should be implemented to support the orderly shutdown for equipment that supports critical business operations. UPS devices and generators should be regularly checked to ensure they have adequate capacity. Testing of these devices should be performed in accordance with the recommendations of the respective manufacturer or vendor.Emergency lighting should be installed and regularly tested to ensure it is operating correctly in case of a power failure. Emergency lighting should cover all emergency exits and planned evacuation routes within each of your organization’s facilities. Emergency power-off switches should be located near emergency exits in data centers and equipment rooms to facilitate a rapid power down in case of an emergency. These devices should be maintained, prominently marked, and protected from accidental activation.It seems obvious that the equipment must be connected to a power outlet, and in many cases there is a UPS and/or a generator that can provide power if the main energy supplier fails. But, often companies have never tried their alternative energy supply, or do not know the capacity, i.e., the time that the business can work with this alternative energy. Therefore, it is not only important to establish an alternative, but it is also important to define a maintenance plan and define the tasks that will be performed. And, it is highly recommended that you generate a report with results (conclusions, failures, duration of the tests, etc.)

Some of the cause for disruption in Information processing facilities

1. Cyber crime: Because cyber crime has become the second most common cause of unplanned disruption, security must be addressed at every level. Defending against attacks is only half of the battle. Cyberthreats, including phishing and ransomware attacks, are among the most dangerous causes of disruption. Cyber attackers can exploit the weaknesses within your organization and get access to your sensitive data, exposing vital information and endangering your business.
2. Human error: Regular and thorough training for staff should be a top priority. To reduce errors and ensure desired outcomes, you may also document method-of-process (MOP) techniques for carrying out complicated activities. Only qualified experts should monitor, maintain and manage the power and infrastructure to minimize downtime.
3. Weather: Natural catastrophes are unavoidable, but taking preventative precautions before something happens can help you avoid severe damage. Regularly test your disaster recovery plan and backup diesel generators.
4. Generators: Even though generator failures account for only 6% of faults, they are still essential to check and switch gears regularly. You must make use of N+1 redundancy and perform preventative maintenance.
5. Insufficient backup power: The most common reason for disruption is power loss. Power outages can happen at any time. Due to this possibility, data centers typically have additional power sources in case their primary one is interrupted. The most commonly used backup power sources are generators and batteries. However, issues arise when operators do not run power failure tests or replace batteries often enough. Without taking the necessary preventative steps, your backup power may not be available when you need it.
6. Cooling failures: Because Information processing facilities generate an incredible amount of heat, effective cooling solutions are vital to preventing equipment from overheating or suffering from shortened life spans. If your cooling solutions don’t work as intended, it may experience erratic temperatures — it could be freezing one minute and sizzling the next. Failing to implement backup cooling procedures and properly maintain the ones you currently have can cause productivity to take a hit.

After highlighting that supporting utilities such as water supply, electricity, communications, sewage, and air conditioning is vital to the operations carried out in information processing facilities. Organisations should take into account following to comply with the requirements:

• Organisations should conform to the manufacturer’s instructions when configuring, using, and maintaining the devices used to control the utilities.
• Utilities should be audited to ensure that they are fit to fulfil business growth objectives and they operate with other utilities without any issue.
• All equipment supporting the utilities should go through regular inspections and testing so that there is no disruption or failure of their proper functioning.
• Depending on the level of risk to the information assets and business continuity, an alarm system can be established for malfunctioning equipment supporting the utilities.
• To minimise the risk, utilities should have multiple feeds with separate physical routing.
• The network connected to the equipment supporting utilities should be segregated from the network connected to IT facilities.
• Equipment supporting the utilities should be allowed to connect to the internet only if it is strictly necessary and this connection should be established in a secure manner.
• Emergency procedures:Organisations should determine an emergency contact person and record his/her contact details. These details should be provided to all personnel in the event a failure or disruption occurs. Emergency switches and valves to halt utilities such as water, gas, and electricity should be placed near the emergency exits.Emergency lighting and communications should be ready to be used in case an emergency arises.
• Network connectivity:Organisations can consider having additional routes from alternative service providers to increase network connectivity so that failures or disruptions of supporting utilities are prevented.

When devices containing information assets are taken out of an organisation’s premises, they will be exposed to higher risks of damage, loss, destruction, theft, or compromise.This is because physical security controls implemented within an organisation’s facilities will not be effective, leaving the assets taken off-site vulnerable to threats such as physical risks and unauthorized access by malicious parties. For example, employees working off-site can take corporate computers containing sensitive information out of business premises, work at a coffee house or a hotel lobby, connect to an insecure public Wi-Fi and leave their devices unattended. All of these present risks to the security, confidentiality, integrity, and availability of information hosted on these devices. Organisations are to establish and apply procedures and controls that cover all devices owned by or used on behalf of the organisation. Furthermore, the creation of an asset inventory and upper management’s approval of the use of personal devices is essential to the effective protection of off-site devices.

Security controls need to be applied to off-site assets, taking into account the different risks involved with working outside the organisation’s premises. This is a common area of vulnerability and it is therefore important that the appropriate level of controls is implemented and tie into other mobile controls and policies for homeworkers etc. Considerations should be made and risk assessments carried out for assets that are taken off site, either routinely or by exception. Controls will likely include a mixture of; Technical controls such as access control policies, password management, encryption; Physical controls such as Locks might also be considered too; alongside policy and process controls such as instruction to never leave assets unattended in public view (e.g. locking in the boot of the car).It is particularly important to review security incident trends relating to off-site assets. The auditor will expect to see evidence of this risk assessment taking place and the proportionate controls selected according to the evaluated risk levels. They will also expect to see evidence of policy compliance.

Control

Off-site assets should be protected.

Purpose

To prevent loss, damage, theft or compromise of off-site devices and interruption to the organization’s operations.

ISO 27002 Implementation Guidance

Any device used outside the organization’s premises which stores or processes information (e.g. mobile device), including devices owned by the organization and devices owned privately and used on behalf of the organization [bring your own device (BYOD) needs protection. The use of these devices should be authorized by management. The following guidelines should be considered for the protection of devices which store or process information outside the organization’s premises:

1. not leaving equipment and storage media taken off premises unattended in public and unsecured places;
2. observing manufacturers’ instructions for protecting equipment at all times (e.g. protection against exposure to strong electromagnetic fields, water, heat, humidity, dust);
3. when off-premises equipment is transferred among different individuals or interested parties, maintaining a log that defines the chain of custody for the equipment including at least names and organizations of those who are responsible for the equipment. Information that does not need to be transferred with the asset should be securely deleted before the transfer;
4. where necessary and practical, requiring authorization for equipment and media to be removed from the organization’s premises and keeping a record of such removals in order to maintain an
5. audit trail ;
6. protecting against viewing information on a device (e.g. mobile or laptop) on public transport, and
7. the risks associated with shoulder surfing;
8. implementing location tracking and ability for remote wiping of devices.

Permanent installation of equipment outside the organization’s premises [such as antennas and automated teller machines (ATMs)] can be subject to higher risk of damage, theft or eavesdropping. These risks can vary considerably between locations and should be taken into account in determining the most appropriate measures. The following guidelines should be considered when siting this equipment outside of the organization’s premises:
a) physical security monitoring.
b) protecting against physical and environmental threats;
c) physical access and tamper proofing controls;
d) logical access controls.

It may be difficult to maintain the same level of security controls for information systems or other assets when they are taken off-premises. Controls in place while systems are connected to the organization’s network may not be enforceable when working off of the network. Physical security controls are very likely to be significantly different as well. These risks may be further magnified if personnel are not well trained on security best practices and acceptable use requirements. Computers, peripherals, paperwork, reports, software, or other information assets belonging to your organization should not be taken off site without prior authorization. Records should be maintained for all information assets that are taken off site. These records should be updated once a timely return of the equipment or other information assets has been completed. The asset inventory of your organization is likely the most convenient place to document what assets have been taken off-site, by whom, and when they are scheduled to be returned.Information asset security controls should be applied to off-site equipment that are comparable to on-site controls. The different risks associated with working outside the organization’s premises should be considered. Particular attention should be given to protecting equipment during business or personal travel. Full-disk encryption should be deployed on all laptops.Information assets remain the property of your organization even when they are off-premises. Personnel should be trained that these assets should not be used by family members or friends. This unauthorized use may introduce not only technical risks, but also potential risks to the confidentiality of data contained on devices due to improper viewing of information by unauthorized audiences. All of your personnel need to be responsible, and held accountable, for all actions performed on or with the information assets that are presently assigned to them. When equipment goes off the premises, it is not only important to establish that its content is encrypted – the employees who take equipment out of the facility must also ensure its physical safety at all times, with special attention in public places, and take care not to let it become damaged. These same measures should also apply if the employee works from home.Organisations can maintain the security of equipment containing information assets by preventing two specific risks:

1. Eliminating and/or minimizing risks of loss, damage, destruction, or compromise of devices housing information assets when they are taken off-premises.
2. Preventing the risk of interruption to the organisation’s information processing activities due to the compromise of off-site devices.
3. Computing equipment and storage media taken off-site such as corporate computers, USBs, hard drives, and monitors should not be left unattended in public spaces such as coffee houses or in any insecure area.
4. Device manufacturer’s guidance and specifications on the physical protection of the relevant device should be complied with at all times. For instance, the device manufacturer’s instructions may include how to protect the device/equipment against water, heat, electromagnetic fields, and dust.
5. Employees and/or other organisations that take computing equipment outside corporate premises may transfer this equipment to other employees or third parties. To maintain the security of this equipment, organisations should keep a log that defines the chain of custody. This log record should at least contain the names of individuals responsible for the device and their organisation.
6. If an organisation deems that an authorization process is necessary and practical for the removal of equipment out of corporate premises, it should establish and apply an authorization procedure for the taking of certain equipment off-site. This authorization procedure should also include keeping a record of all device removal actions so that the organisation has an audit trail.
7. Appropriate measures should be implemented to eliminate the risk of unauthorized viewing of information on-screen on public transport.
8. Location tracking tools and remote access should be in place so that the device can be tracked and the information contained in the device can be wiped off remotely if needed.

It also prescribes requirements for the protection of equipment installed outside of corporate premises permanently.This equipment may include antennas and ATM’s.Considering that this equipment may be subject to heightened risks of damage and loss, organisations to take into account the following when protecting this off-site equipment:

• Physical security monitoring, should be considered.
• The protection against environmental and physical threats should be taken into account
• Access controls should be established and appropriate measures should be implemented to prevent tampering.
• Logical access controls should be created and applied.

Advice for laptop, tablet & smartphone users

• Employees should keep mobile devices with them at all times. When unattended – for example in a hotel room or meeting room – they should keep them hidden or physically locked away. They should also be carried in hand baggage on an aircraft or coach.
• Laptops, tablets and smartphones should never be left on a vehicle seat. Even when the driver is in the vehicle, their device could be vulnerable when stationary (for example, whilst parking or at traffic lights).
• Employees with tablets and smartphones should do their best not to have them on display when out and about owing to the increasing trend of snatch robberies, sometimes involving physical violence.
• Ensure your employees use padded bags to carry their laptops and, where feasible, tablets. Many laptops are broken simply by dropping them.

Equipment needs to be sited and protected to reduce the risks from environmental threats and hazards, and against unauthorized access. The siting of equipment will be determined by a number of factors including the size and nature of the equipment, it’s proposed use and accessibility and environmental requirements. Those responsible for siting equipment must conduct a risk assessment and apply the following wherever possible in line with the risk levels.It addresses how organisations can eliminate and mitigate risks arising out of physical and environmental threats to equipment hosting information assets. Physical and environmental threats to IT equipment such as servers, computers, hard drives, and removable storage media may also compromise the availability, confidentiality, and integrity of information assets. For example, spillage of a drink onto a server, a shutdown of a computer system due to high temperature, and unauthorized access to a computer system not located in a secure area are all examples of physical threats to equipment housing information assets. The equipment should be located in a safe location where conditions are met for proper operation (humidity, temperature, etc.). Therefore, it is important to set humidity and temperature sensors, and to control conditions in order to allow the equipment to operate properly. When talking about working conditions – remember that the equipment is prepared to work under certain conditions, and many computers (especially servers) are prepared to shut down automatically at the moment that these conditions are not met (for example, high temperatures). They do this mainly to prevent damage to the equipment, which consequently, implies an interruption to your business. Here it is also important that the equipment be sited in a safe location to minimize unnecessary access, and for this, you can use different work areas, protecting them with physical access control. And, it is also important that the information processing facilities handling sensitive data be positioned carefully. When it comes to the protection of physical equipment, on the other hand, to maintain an adequate environment, it also tends to be a good practice to establish a norm that employees do not eat, smoke, or drink in the vicinity of the equipment.

Control

Equipment should be sited securely and protected.

Purpose

To reduce the risks from physical and environmental threats, and from unauthorized access and damage.

ISO 27002 Implementation Guidance

The following guidelines should be considered to protect equipment:

• siting equipment to minimize unnecessary access into work areas and to avoid unauthorized access;
• carefully positioning information processing facilities handling sensitive data to reduce the risk of information being viewed by unauthorized persons during their use;
• adopting controls to minimize the risk of potential physical and environmental threats [e.g. theft, fire, explosives, smoke, water (or water supply failure), dust, vibration, chemical effects, electrical supply interference, communications interference, electromagnetic radiation and vandalism];
• establishing guidelines for eating, drinking and smoking in proximity to information processing facilities;
• monitoring environmental conditions, such as temperature and humidity, for conditions which can adversely affect the operation of information processing facilities;
• applying lightning protection to all buildings and fitting lightning protection filters to all incoming power and communications lines;
• considering the use of special protection methods, such as keyboard membranes, for equipment in industrial environments;
• protecting equipment processing confidential information to minimize the risk of information leakage due to electromagnetic emanation;
• physically separating information processing facilities managed by the organization from those not managed by the organization.

Specific requirements that should be taken into account for compliance:

• Equipment should be sited in secure areas so that unauthorised persons cannot gain access to equipment.
• Tools used for processing sensitive information such as computers, monitors, and printers should be positioned in a way that unauthorised persons cannot see information displayed on screens without permission.
• Appropriate measures should be put in place to eliminate and/or mitigate risks arising out of physical and environmental threats such as explosives, communications interferences, fire, dust, and electromagnetic radiation.
• For example, a Lightning rod can be an effective control against lightning strikes.
• Guidelines on eating and drinking around equipment should be established and communicated to all relevant parties.
• Environmental conditions that may disrupt the information processing operations should be continuously monitored. These may include temperature and humidity levels.
• Lightning protection mechanisms should be implemented in all buildings and offices. Furthermore, lightning protection filters should be built into all incoming power lines, including communication lines.
• If equipment is located in an industrial environment, special protection controls such as keyboard membranes should be used if needed.
• Electromagnetic emanation may result in the leakage of sensitive information. Therefore, equipment housing sensitive or critical information assets should be secured to prevent such risk.
• IT equipment owned and controlled by an organisation should be clearly segregated from those not owned and controlled by the organisation.

Physical security must be in place to control physical access to restricted areas and facilities containing covered devices. Covered devices such as server hardware, desktop computers and storage media should be locked behind cabinets or tied down to physical restraints that prevent unauthorized removal from restricted area. Access to areas containing covered device should be granted to personnel with a need-to-know based on job function. Restricted areas should display signs to give clear indication that access is for authorized personnel only. Facilities containing covered device should give minimum indication of their purpose, with no obvious signs identifying the presence of covered data or related functions. Physical access control devices such as key card reader, doors and cabinet locks, should be tested prior to use and on a periodic basis (e.g. annually). Resource proprietors and custodians should produce physical or electronic audit trails to record all personnel’s physical access to restricted area for the purpose of security incident investigation. Inventory of who has access to physical access control devices should be regularly reviewed and any inappropriate access identified during the review should be removed promptly.

Advice to protect your Equipment

• Keep doors and windows locked.
• Keep sensitive hard copy records locked away if possible.
• Fit an intruder alarm, with unique codes for each employee.
• Fit bars or shutters to vulnerable windows.
• Use CCTV to deter intruders and record incidences of criminal activity.
• Consider using computer locking cables on individual desktop machines and laptops.
• Keep a fire extinguisher suitable for use with electrical equipment, near your computer.
• Take care how you dispose of packaging that might advertise that you have new equipment.
• Consult with your insurance company or local crime prevention officer for additional security advice.

Advice for Servers & IT infrastructure

• Keep servers and network equipment in a locked room and control access to it.
• Server and networking racks and cabinets can also be protected by individual locks.
• Disable unused network ports.
• Locate equipment to minimize risks from fire, flooding and theft.
• Keep a fire extinguisher suitable for use with electrical equipment, near your IT equipment.

Advice on Visitors to your business:

• Be vigilant about granting access to any visitors, and escort them where appropriate.
• Vet contractors and support personnel.
• Restrict access to sensitive areas, such as server rooms or HR records.
• Encourage staff to challenge unescorted strangers in secure areas.

Limit the impact of a theft or loss

• Make a note of all IT equipment serial numbers to enable reporting if stolen.
• Security mark computers and other high-value items.
• Keep printed photographic records of all equipment and lock them away safely.
• Never store passwords on computers.
• Ensure computer equipment is adequately insured.
• Back up data (see Backups for more information).