When withdrawing money from the ATM, you’re instructed to protect your PIN before entering it into the machine. This is a form of Data Masking, and that’s what this new ISO27001 control is all about.
It’s about hiding information from prying eyes to limit the exposure of your sensitive or personal data. This might be to comply with legal, statutory, regulatory or contractual requirements, but it’s also because it protects your reputation.
What does the standard require?
The standard states that Data masking shall be used in accordance with the organisations topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.” (A8.11 – Data Masking)
To be clear, data masking prevents unauthorised personnel from reading the information or data.
Why is this required?
Data Masking can be a critical tool when evidencing compliance with regulations like the California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR) and UK Data Protection Act (DPA). Without data masking in place, someone could gain access to systems or services that they have no right to access.
Without data masking in place, unauthorised personnel or intruders could alter the information, or take it and use it for their own purposes. For example, anyone taking credit card details should ensure that the banking details are masked, so that should there be a breach, the information is not easily obtained by the attackers. Sadly, this doesn’t always happen.
We worked with a private school that took payments directly from parents and stored the information in an unprotected spreadsheet. The information wasn’t protected, and the data was not masked. This spreadsheet contained hundreds of details of financial information, including bank numbers, expiry dates and card verification value (CVV) numbers. This spreadsheet was routinely emailed to various internal people, and was accessible to the external IT support team.
What the auditor is looking for
For this ISO27001 control, the auditor will expect to see;
Access Control Policy (A5.15 – Access Control).
Review of access rights (A5.18 – Access Rights).
Data Classification scheme (A5.12 – Classification of information).
Data Protection Policies (A5.34 - Privacy and protection of PII).
Clear desk and clear screen policies (A7.7 - Clear desk and clear screen)
Encryption is in place (A8.24 - Use of cryptography).
Awareness, training and education (A6.3 - Information security awareness, education and training).
Risk Register.
Management Review Meeting minutes and actions.
What do you need to do?
On first glance, it may appear that this ISO27001 control is all about applying technical controls to mask data. ISO27002 discusses pseudonymisation and anonymisation and primarily focuses on the technique of disguising and concealing information.
However, the control specially mentions the access control policy, and other related topic-specific policies. Therefore, consider additional controls, and don’t simply point to one aspect of data masking. For example, segregation of duties might ensure that certain menu options (in software tools) is ‘masked’ from view, unless I have elevated access rights.
Review what you have done for ISO27001 controls (A5.3 - Segregation of duties) and (A5.18 - Access Rights), and ensure your auditor is aware of what is in place.
Review the data classification scheme that you developed as part of ISO27001 Annex A control (A5.12 - Classification of information) as this will help identify the data that should be masked. For example, data masking should apply to confidential or sensitive personal data. This includes passwords, PIN codes, bank card numbers, salary information, social security or national insurance numbers, drivers' licence numbers, medical details, etc.
At the simplest level, encrypt data, both at rest and in transit. But pay close attention to what happens when data is entered into a system, or provided over the phone. Engage in discussions with those who collect this information about how critical data is provided to you. For example, speak to call handlers taking payment details over the phone. Are calls recorded? Do call handlers pause the recording before taking banking details from the caller? What about entering the information into the system? Does it display all the banking details, or is it substituted by special characters (e.g. “£$**##”)?
Look at how you implemented ISO27001 Annex A control A5.3, segregation of duties and identify what data is ‘masked’ from those who do not need to access the information. For example, I might have access to the HR system, but as a team leader I won’t have access to salary details. Perhaps only the payroll need access to this level of data. The menu option, or the data, may be masked from personnel who do not have the rights to that part of the system.
If you have development within scope of your ISO27001 programme, then you need to consider how data is used in testing environments. Speak to your development team about this. This is specifically covered in ISO27001 Annex A control (A7.33 - Test information), with data perhaps needing to be controlled and masked differently.
Finally, you might also consider providing physical security controls which will help in the data masking process. For example, privacy-screens on devices mask information from people ‘shoulder-surfing’ (i.e. looking over your shoulder), or you might position screens in such a way that people can’t see what you’re entering into a system.
As with many aspects of ISO27001, there are simple techniques that can be applied, but as you continually improve your security you should look beyond the obvious to implement a well-rounded security control.
Difficulty rating
We rate this a 2 out of 5 difficulty rating. Enabling encryption is relatively easy, as most systems and devices have this as a standard, and most systems also mask information like passwords and PIN Codes. However, you need to understand what other controls are available to you, and this requires a little more knowledge and understanding of your systems and processes.
Q&A
When should we implement data masking?
This should be a consideration at the start of the development process, or software selection process. How are you maintaining security should be a question at the earliest point in the decision-making process.
More questions?
You’ve probably noticed by now that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”
Comments