ISO 27002:2022 introduces several new information security controls including A8.11 – Data masking
This blog takes a brief look at what is required.
Data masking in ISO 27002:2022
The new control id 8.11 – Data masking has been added to ISO/IEC 27002:2022 to limit the exposure of sensitive data including PII, and to comply with legal, statutory, regulatory and contractual requirements placed on your organisation.
The control addresses how data masking should be used together with the organisation’s access control and other policies to protect data and prevent leakage.
Where the protection of sensitive data is a concern, the organisation should consider hiding such data by using techniques such as additional data masking, pseudonymization or anonymization.
What is Data Masking?
Data masking takes a number of forms. The most common example we see everyday is the asterixis **** used to hide your password. This prevents those around you from seeing what you type into the box. It also mitigates against screen recording or screen sharing.
However more complex examples of data masking can include pseudonymization or anonymization, where data within a system or database is obscured, requiring a third party process in order to view the data, therefore protecting against a data loss.
This is common in systems that store payment information or sensitive personal information.
The objective of data masking is to protect data from unauthorised access or disclosure.
How to Evidence A8.11 of ISO 27002:2022
Many off-the-shelf software platforms will have data masking built in as standard, particularly where they are compliant to industry requirements such as PCI DSS for Payment Cards or HIPAA regarding healthcare data in the US.
If you use off-the-shelf systems you should check the configuration options to ensure that all the appropriate security controls are applied.
If you develop a bespoke software application for your business, or build a software product, you should apply best practices from organisations cuhas as SANS or OWASP to harden your application.
Understanding what data is stored within your application and where it is stored is the first step. Then apply controls including data masking in line with your risk assessment.
Remember that users of your application may not use fields for the purpose you intend. For example, they may store payment card details in a field intended for notes etc. So this should be considered when applying data masking techniques.