Data theft is the most common behavior in recent hacking incidents. In particular, ransomware will steal confidential information as one of the means of extorting ransom. Starting from MAZE (Maze) in 2019, ransomware will not only encrypt files , and will use the stolen trade secrets to threaten the victims. If the ransom is not paid, the trade secrets will be disclosed, causing damage to the trade secrets. In the old version of ISO27001:2013, the requirements for preventing data outflow are scattered in multiple control items, including A.12.6.1 Technical Vulnerability Management, A.13.1.1 Network Control Measures, A.13.1.3 Network Division, A.13.2.3 Electronic Communication, A.8.3.1 Management of Removable Media, etc. In this revision, ISO27001:2022's new control item 8.12 Data leakage prevention, repackages the previous control items from the perspective of preventing malicious persons from stealing data, requiring organizations to take precautions against data leakage. Breach prevention should be applied to systems, networks, and other devices that process, store, or transmit sensitive information. In addition, "Identifying and monitoring sensitive information with risk of leakage" also means that in the future, the two requirements of organizations/enterprises in A.12.4.1 Event Recording and A.12.4.3 Manager and Operator Logs will be Strengthen the audit from the aspect of data leakage.
Organizations should monitor all potential sources of data leakage, such as portable storage media, printers, and network communications, and establish specifications for the use of these devices. Organizations can assist with management using data breach prevention tools that can be used to identify data, monitor data usage and movement, and take steps to prevent data breaches (for example, alerting users to their risky behavior and blocking data transfers to portable storage devices). The organization must also formulate response actions. When a suspected data breach is detected, it can respond quickly to prevent the damage from expanding. For example, immediately cut off the network connection of the victim computer and identify the computer to find out. source of attack.
-ASF Lead Auditor Dan Lin