Series: New Controls in ISO/IEC 27001:2022 Annex A

Data Leakage Prevention

In this article series, we are analyzing the implementation aspects of the 11 new controls of ISO/IEC 27001:2022 Annex A. The eighth article of the series explores the new technological control 8.12 (Data leakage prevention).

Control

Control 8.12 (Data leakage prevention) defines the best practices for the prevention and detection of unauthorized data leakage from systems, networks and other devices.

Attributes

Implementation of this control would help an organization prevent and detect unauthorized disclosure and extraction of sensitive information and hence, protect their confidentiality.

Implementation

The organization should define processes for monitoring information channels like emails, file transfers, USB devices etc. to prevent sensitive information from leaking. Data leakage prevention tools should be used to monitor and detect the disclosure of sensitive information, and prevent user actions or network transmissions that can potentially expose sensitive information. The tools should be selected after carefully considering the business requirements, perceived risks, and relevant laws and regulations.

The organization should ensure that all backup media are protected using encryption, access control and other techniques to prevent data leakage. Besides, data leakage prevention techniques should also help to prevent adversaries from accessing confidential or secret information which might cause harm to the organization or the nation.

Artefacts

The contents and implementation of the following security policies and procedures may be impacted by the above control:

• Information Classification and Handling Policy – This policy ensures that sensitive information is protected from unauthorized use and disclosure. It helps to facilitate the identification and classification of sensitive information that should be protected from adversaries.

• Data Protection Policy – This policy ensures that data is gathered, stored and handled securely, with respect towards individual rights. It defines the responsibilities for data leakage prevention.

• Access Control Policy – The access control policy should include rules for accessing sensitive data as per the security requirements of the organization.

• Acceptable Use Procedure – This defines the acceptable and unacceptable usage of sensitive information.

• Security Operating Procedures – Rules for the secure handling of sensitive information may be defined within security operating procedures.

• Data Leakage Prevention Procedure – This procedure defines the rules for protecting restricted, confidential or sensitive data of the organization from loss to avoid reputation damage and to avoid adversely impacting the customers.

How Sujosu Technology Can Help

• Sujosu Technology helps organizations design and implement systems that prioritize cyber security, data privacy and compliance. Our services include:

• Risk Assessments: Identifying cyber security and privacy requirements and vulnerabilities in applications and infrastructure.

• Countermeasures and Solutions: Providing tailored strategies to prevent, detect and recover from potential attacks.

• Compliance Documentation: Helping you comply with the requirements of specific standards and regulations by compiling policies, procedures and other relevant manuals.

• Training and Awareness: Equipping your team with the knowledge to address cyber security and privacy challenges effectively.

  
  

With Sujosu Technology’s expertise, your organization can build systems that are secure and resilient against security and privacy breaches. We can also help you achieve compliance with relevant standards and legislations. Besides, we organize webinars and publish insightful articles to create awareness on various aspects of cyber security and data privacy.

Partner with Sujosu Technology

Protect your data and ensure compliance with Sujosu Technology’s state-of-the-art cyber security and privacy services. Stay ahead of challenges and foster trust with your stakeholders.