ISO 27001 and its relationship with DLP and PII

What is ISO 27001

ISO 27001 is an international standard for information security management. It specifies a management system that organizations can use to identify, manage, and reduce the risks associated with handling sensitive information. The standard provides a framework for managing sensitive information in a manner that is secure, reliable, and compliant with legal and regulatory requirements. Organizations that comply with ISO 27001 can demonstrate to customers, partners, and regulators that they have implemented a robust information security management system.

Which ISO 27001 controls are around PII (Personally Identifiable Information)?

The ISO 27001 standard includes several controls specifically related to protecting Personally Identifiable Information (PII). Here are a few:

• A.5.1 Information security policy, which includes a requirement for the organization to define and implement security policies and procedures for the protection of PII.
• A.6.1 Internal organization, which includes a requirement for the organization to include segregation of duties and information security considerations in the project management process.
• A.6.2 Mobile device policy, which includes a requirement for the organization to define and implement security policies and procedures for the protection of PII on mobile devices and teleworking sites.
• A.8.2 Information classification, which includes a requirement to classify, label and handle information in accordance with the data classification scheme adopted by the organization.
• A.8.3 Media handling, which includes a requirement for the organization to establish procedures for the protection of PII on removable media.
• A.9 Access control, which includes requirements for the organization to define and implement controls to limit user and system access to PII.
• A.12.3 Backup, which includes a requirement for the organization to protect against loss of data by creating copies of information
• A.13.2 Information transfer, which includes a requirement for the organization to establish procedures to protect the transfer of PII across all types of communication facilities.
• A.16.1 Management of information security incidents and improvements, which includes a requirement for the organization to establish procedures for the reporting of security incidents involving PII.
• A.18.1 Compliance with PII protection laws and regulations, which includes a requirement for the organization to comply with all applicable laws and regulations related to the protection of PII.

It's worth noting that ISO 27001 standard does not specify a specific control for PII, but it's a requirement for all organizations that handle PII to implement a set of controls that cover the protection of PII and comply with all applicable laws and regulations.

Which ISO 27001 controls can Data Loss Prevention (DLP) help with?

A Data Loss Prevention (DLP) solution can help several controls specified in ISO 27001 for information security management. Some of these include:

• Classification: DLP solutions can classify sensitive information based on predefined criteria, such as data type, owner, or content, and apply appropriate security measures to protect it.
• A.8.2 Information classification policy
• Access Control: DLP solutions can monitor and control access to sensitive information, ensuring that only authorized individuals have access to it.
• A.8.3 Media handling
• A.9.1 Access control policy and procedures
• A.9.2 User access management
• A.9.3 User responsibilities
• A.9.4 System and application access control
• Availability: DLP solutions can ensure the availability of sensitive information by preventing unauthorized modification or deletion and providing backup and restore features.
• A.12.3 Backup
• Media Protection: DLP solutions can prevent sensitive information from being copied, transferred or removed from the organization's network or endpoint devices.
• A.13.2.1 Information transfer policy and procedures
• A.13.2.3 Electronic messaging protections
• Incident Management: DLP solutions can detect, investigate and respond to security incidents related to sensitive information, such as data breaches or unauthorized access attempts.
• A.16.1.1 Security incident management policy and procedures
• A.16.1.2 Reporting of information security events
• A.16.1.7 Collection of Evidence
• Compliance: DLP solutions can help organizations comply with regulations related to the protection of sensitive information, such as HIPAA, PCI-DSS, and GDPR.
• A.18.1 Compliance with legal and contractual requirements

It's worth noting that DLP is just one of the several different control options that organizations can use to meet the requirements of ISO 27001, and it's important to evaluate which controls are appropriate for an organization's specific needs.

Introducing Strac Data Loss Prevention (DLP)

Strac is a DLP solution that helps protect against sensitive data leaks across all your SaaS solutions, including Zendesk, Slack, Office 365, Google Drive, AWS and more. Below are examples of how Strac DLP can help your organization with controls specified in the ISO 27001 standard.

Classification

Email services like Outlook and Gmail are essential for business communication.

At an individual level, Strac DLP can help label emails in your inbox & sent folders according to the information classification scheme adopted by your organization. For example, an inbound email from a customer may contain their identification information. An outbound email to a vendor may contain your payment information.

At an organizational level, Strac DLP can provide insights into information exchange patterns exhibited. Metrics like top PII senders/receivers and data types exchanged help security teams identify and manage risks.

Strac DLP uses machine learning to classify information accurately within an email. The algorithm is actively being improved to provide increased coverage and accuracy. Currently, it is capable of categorizing over 40 data types.

Controls:

1. A.8.2.1 Classification of information
2. A.8.2.2 Labelling of information

Access Control & Media Protection

Customer support software like Zendesk and Intercom handle customer tickets. These tickets may contain identification information to assist with fraud checks or payment information for managing returns.

According to the United States Bureau of Labor Statistics, the average customer-service representative stays on the job for just over one year. The average call center turnover rate is as high as 45%. Outsourcing customer support teams to lower-cost locations like India further increases the risk of data leaks

Strac DLP can mask sensitive data detected by its classification engine to prevent data leaks. Sometimes, sensitive data is required for customer service. To achieve this, Strac provides different policies to meet the organization's needs. For example, masking can occur only after a ticket is closed to keep historic data safe. Strac DLP can also be configured to allow masked data to be viewable for a certain amount of time by authorized groups.

Controls:

1. A.8.3.1 Management of removable media
2. A.9.1.2 Access to networks and network services
3. A.9.2.3 Management of privileged access rights
4. A.9.3.1 Use of secret authentication information
5. A.9.4.1 Information access restriction
6. A.9.4.2 Secure log-on procedures
7. A.13.2.1 Information transfer policies and procedures
8. A.13.2.2 Agreements on information transfer
9. A.13.2.3 Electronic messaging

Availability

Instant messaging software like Slack and WhatsApp are an increasingly popular way to handle business communications.

Strac DLP can back up documents in specific channels (e.g., external Slack channel with B2B customers) to protect against data loss due to ransomware attacks.

Controls:

1. A.12.3.1 Information backup

Incident Management

File sharing systems like Google Drive and Sharepoint are effective collaboration tools and contain vast amounts of sensitive information.

Strac DLP can alert the security team when anomalous data exchanges have been detected. These behaviors may include a variety of events, for example, when a crypto address is exchanged in a healthcare organization. Or when large amounts of sensitive data have been exchanged, etc.

Controls:

1. A.16.1.2 Reporting of information security events
2. A.16.1.7 Collection of Evidence

Compliance

ISO 27001 asks organizations to protect PII according to legislatory and regulatory requirements. Let's explore how Strac can help achieve this:

SOX: All publicly traded companies that operate in the USA must comply with SOX, which requires any financial information to be safeguarded and its integrity assured. The first step to safeguarding data is to take inventory of sensitive files. This task alone can be overwhelming due to the vast ecosystem of a large enterprise

Strac DLP can scan cloud file storage systems for financial information and automatically identify where they are and the types of content it contains. By analyzing access controls placed on the files & folders, Strac can alert organizations when existing access controls need to be tightened. For example, if an invoice is accidentally shared with anyone on the Internet and contains business bank account numbers, it will be flagged and auto-remediated by Strac.

IRS 4557: CPA firms often receive emails containing customers' tax information and are required to store it securely (e.g., strong password, MFA, backups, etc) due IRS Publication 4557 for Safeguarding Taxpayer Data.

Strac DLP can detect and mask sensitive information like SSN, EIN and bank account information so that customer information can be stored securely inside Strac Vault. Email servers have a poor track record of keeping data safe and are thus high-value targets for cybercriminals. Unlike email servers, Strac Vault is secure by default, enabling businesses to stay compliant through its data and access control policies.

HIPAA: Healthcare clinics might use Google Sheets or a database to manage patient information. The patient information should only be shared with the patient's consent because of the Health Insurance Portability and Accountability Act (HIPAA).

Strac DLP can help clinics gain insight into their patient base by anonymizing the database. For example, a patient age 25 years will be replaced with age group 19 - 29 so that even if the data is shared it will not identify the original patient.

Controls:

1. A.18.1.3 Protection of records
2. A.18.1.4 Privacy and protection of personally identifiable information

Conclusion

Strac's data centric design enables organizations to achieve ISO 27001 compliance, even when using SaaS applications. With its DLP policies, Strac helps protect data from misuse or disclosure and keeps organizations secure.

Organizations of all sizes can benefit from Strac’s robust data loss prevention solution. With the right tools in place, organizations can be confident that they are taking the necessary steps to protect their customers’ information while properly managing it in accordance with international standards and regulations.

Any questions?

If you have any questions or want to meet the Data Loss Prevention (DLP) requirement for ISO-27001, please book a meeting with us.