This is the second of two parts of our publication, looking at the new section 8 controls of the ISO 27002:2022 update. Please refer to part one for section 5 and section 7 controls.
In part two of our post, we will cover:
- Configuration Management (8.9)
- Data Masking (8.11)
- Data Leakage Prevention (8.12)
- Monitoring Activities (8.16)
- Web Filtering (8.23)
- Secure Coding (8.28)
Configuration Management (8.9)
Configuration management is the process of maintaining computer systems, servers, and software in a desired, consistent state. It ensures that a system performs as it is expected to as changes are made over time. Configuration management tools perform various roles to ensure consistency among physical and logical assets. These tools identify and track configuration items and document functional dependencies and are invaluable for understanding the impact of changing one configuration item on all the others.
Such example controls can include:
- Maintaining a Configuration Management Database (CMDB), usually as part of a configuration management tool.
- Standard templates for the secure configuration or hardening of hardware, software, services, and networks. Examples are server and laptop builds.
- Changing vendor default authentication information such as default passwords immediately after installation and reviewing other important default security-related parameters.
- Verifying that licence requirements have been met.
Considerations for Data Deletion (8.10)
Information stored in information systems, devices, or any other storage media should be deleted when no longer required to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory, and contractual requirements.
When deleting information on systems, applications and services, the following should be considered:
- The deletion method (e.g., electronic overwriting or cryptographic erasure) should be chosen by business requirements and consideration of relevant laws and regulations.
- Results of deletion should be recorded as evidence.
- When using a service provider evidence of information deletion should be obtained from them
- Using approved, secure deletion software to permanently delete information to help ensure information cannot be recovered by using specialist recovery or forensic tools.
- Using approved, certified providers of secure disposal services.
- Using disposal mechanisms appropriate for the type of storage media being disposed
Data Masking (8.11)
Data masking is the process of modifying sensitive data so that it is of no or little value to an attacker whilst still being usable by software or authorised personnel or systems. Masking is applied to a data field to protect data that is classified as personally identifiable information, sensitive personal data, or commercially sensitive data.
In some organisations, data that appears on the screens of call centre operators may have masking dynamically applied based on user security permissions; an example is preventing call centre operators from viewing the full credit card numbers in billing systems.
Example controls that can be used for data masking that meet ISO 27002:2022 guidelines include:
- Data encryption
- Nulling or deleting characters to prevent unauthorised users from seeing full messages
- Varying numbers and dates
- Substitution by changing one value for another to hide sensitive data
- Hashing data, which is irreversibly transforming data into a unique value or key that represents the original value
Data Leakage Prevention (8.12)
Data leakage prevention is the process of preventing and detecting the unauthorised disclosure and extraction of information by individuals or systems. Prevention measures should be applied to systems, networks and any other devices that process, store, or transmit sensitive information. These measures should be a combination of policies, processes, and technical tools.
Example Controls that can be used:
- Policies and processes to identify and classify information to protect against leakage:
- Access Control Policy
- Secure Document Management Policy
- Information Classification Policy
- Technical tools to:
- Monitor potential sources of data leakage such as email, file transfers, mobile devices, and portable storage devices
- Identify and monitor sensitive information at risk of unauthorised disclosure
- Detect the disclosure of sensitive information
- Block user actions or network transmissions that expose sensitive information
Considerations for Monitoring Activities to meet ISO 27002:2022 guidelines (8.16)
System monitoring is the practice of monitoring networks, systems, and applications to detect anomalous behaviour and potential information security incidents; an integral part of ISO 27002:2022. Monitoring should be continuous using a monitoring tool in real-time or in periodic intervals, subject to organisational need and capability. Procedures should be in place to respond to positive indicators from the monitoring system in a timely manner to minimise the effect of adverse events.
The following should be considered for inclusion in a monitoring system:
- Outbound and inbound network, system, and application
- Access to systems, servers, networking equipment, monitoring system, critical applications,
- Critical or admin-level system and network configuration
- Logs from security tools g., antivirus, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), web filters, firewalls, Data Leakage Prevention (DLP), Security Information Event Management tools (SIEM).
- Event logs relating to system and network
Web Filtering (8.23)
Web filtering is a technology that prevents users from viewing certain URLs or websites by preventing their browsers from loading pages from these sites. Web filters can deliver various solutions for personal or enterprise use.
Organisations should consider blocking access to the following types of websites:
- Websites that have an information upload function unless permitted for valid business reasons, such as file-sharing services.
- Known or suspected malicious websites, for example, those distributing malware or phishing contents.
- Command and control servers.
- Websites sharing illegal content.
Secure Coding (8.28)
Secure coding principles should be applied to software development to ensure that software is written securely thereby reducing the number of potential information security vulnerabilities in the software.
- Establish organisation-wide processes to provide good governance for secure coding.
- Configure development tools, such as integrated development environments (IDE), to help enforce the creation of secure code.
- Maintenance and use of updated development tools (e.g., compilers).
- Training of developers in writing secure
- Secure design and architecture, including threat
- Use of secure coding standards and where relevant mandating their
- Use of controlled environments for development.
- Secure coding practices specific to the programming languages and techniques being
- Using structured programming
- Prohibiting the use of insecure design techniques (e.g., the use of hard-coded passwords, unapproved code samples and unauthenticated web services).
Getting Ready for ISO 27001:2022 Certification
Although no action needs to be taken today, the updates to ISO 27002:2022 present a great opportunity for organisations to start reviewing and updating their internal controls. Doing so now, ahead of the anticipated ISO 27001 update, will enable organisations to more efficiently implement best practices to achieve compliance in the future. Being prepared is key to cyber security compliance success.
Need a helping hand? The Dionach team are ideally placed to aid you in your transition to ISO 27001:2022.