The objective of information transfer policies and procedures in ISO 27001 is to control the flow of information in a secure manner between the organisation and internal/external entities. In modern day business, a myriad of differing data is transferred on a daily basis that is often of a sensitive nature.
The purpose of the information transfer controls in ISO 27001 is to ensure that these transfers take place via authorized mechanisms and that sensitive data is secured from unauthorized access or disclosure.
To achieve this, the standard recommends organisation implement information transfer policies and procedures to govern staff handling sensitive data. This may take the form of a section within wider information security policies, but should specify the organisations expectations for personnel handling different types of data.
Organisations may also wish to include this within information classification and handling policies to ensure that employees know what types of data are considered sensitive and require handling and transmitting in a particular manner. So, what should information transfer policies and procedures include?
Well, firstly it is key to understand the types of data the organisation deals with and to classify this data appropriately. Establishing information transfer policies and procedures focusing on cardholder data is no good for an organisation that does not process this type of data, so an understanding of data is essential.
It is recommended that a data discovery exercise is completed with all departments to identify and rank data of the highest sensitivity. This will likely consist of customer data, personally identifiable data (PII data) covered under the Data Protection Act and credit card holder data, however, this will vary dependent on industry. Another example may be Government protectively marked data that requires a higher level of protection to every day information processed.
Understanding sensitive data types and identifying the ‘crown jewels’ as it were enables the organisation to focus efforts on establishing secure methods to transfer data. This is imperative to reduce the risk from unauthorized access or interception.
For example, an organisation processing and communicating sensitive personal data with other businesses may expose themselves to a data breach if sending this type of data un encrypted, in the clear via email for example. In this instance, the organisation would want to establish methods to transfer this data securely to ensure that only the intended receipt receives this data and that it arrives unmodified. So, how can an organisation achieve this?
Secure transfer mechanisms exist in various forms. For example, secure file repository cloud services are easily accessible and use strong encryption and access control to reduce the risk of unauthorized access or interception. With this method, the cloud service hosts a secure, encrypted drop box that is only accessible by the organisation and its data transfer partners.
By using this encrypted service, the organisation can provide more granular controls as well as encrypting all traffic. For example, by auditing who has checked in/out files and modifying permissions to ensure that only authorized personnel can access certain files.
So, following identification of sensitive data types and secure data transfer mechanisms, how can we ensure these are used? Well, this is where information transfer policies and procedures in ISO 27001 come in handy. The organisation should document and communicate a policy defining their requirements for secure data transfer.
Using language such as “all employees must use secure transfer mechanism x for y data types at all times” ensures there are enforceable rules in place that must be complied with. Compliance with policies should be communicated as part of security awareness training and regular audits should take place to ensure all employees handling sensitive data types are aware of secure file transfer mechanisms. On-going compliance should be monitored, and if possible supporting technologies implemented to spot sensitive data being transferred via insecure mechanisms e.g. data loss prevention tools.
In conclusion, organisations can implement information transfer policies and procedures in ISO 27001 by firstly identifying and classifying sensitive data types, and then defining secure transfer mechanisms. For each sensitive data type, a method of transferring this securely should be identified, defined in policy and communicated to all employees via security awareness training. Implementation of this control will reduce the organisations exposure to data loss or unauthorized access/interception from externals.