With the world in a current effort to reduce COVID-19 spread, social distancing has drastically changed the way we work, with working from home and taking business information off-premises becoming a daily reality. Additionally, to find a cure or effective treatment for COVID-19, the gathering and sharing of information about those infected, most of this being Personally Identifiable Information (PII), has become paramount.
However, allowing access to information in both of these cases, and the gathering of data in the latter case, bring risks that can outweigh all the benefits of such practices.
Fortunately, organizations can find frameworks that can help in these situations, one of which ISO 27001, an internationally recognized standard that addresses information security management.
This article will present some common risks related to sensitive data and how ISO 27001 can help organizations to protect them, whether they are just stored or being communicated.
Common risks related to data in a pandemic
Considering business information off-premises, some of the common risks it is subjected to during a pandemic situation are:
- Cyberattacks against remote locations: In their own environments, companies have complete control of their assets, defining secure physical and electronic layers. But often in remote locations, security practices are not so robust (e.g., use of personal devices and public networks).
- Breach of legal requirements: Outside a company’s environment, it is more difficult to ensure employees’ compliance with laws (e.g., GDPR, HIPAA, etc.) and contract clauses related to data protection.
- Social engineering attacks: In a time of need, malicious people can take advantage of people trying to help fight the pandemic, or unused to remote work practices, to steal or prevent users from accessing information (e.g., ransomware).
As for personal information for fighting the pandemic, some of the common risks are:
- Excessive gathering and sharing of private and sensitive information: Uncertain of which information is important to prevent disease and develop the cure or treatment, companies may collect more than they need and share the excess information with other parties.
- Low engagement of third parties: Although the information may be properly protected by the main organization that collected the personal data, other parties with which the data may be shared may not have the proper practices to store, process, or communicate that information.
Internet searches can show many solutions on how to deal with these risks, but only implementing them without proper follow up can cause a company to either overprotect data, negatively impacting desired outcomes (e.g., business objectives or cure or treatment for pandemic diseases), or to leave critical risk unproperly treated, leaving data, companies, and persons without adequate protection.
ISO 27001 framework
ISO 27001 is an internationally certifiable standard, published by the International Organization for Standardization (ISO). It defines the requirements for systematic protection of information, in the form of an Information Security Management System (ISMS), which is applicable to organizations of any size and industry.
In short, it helps an organization to:
- define its general approach to information security (e.g., relevant requirements, scope, policy, etc.)
- identify and treat relevant risks (through a risk management approach and identification of applicable legal requirements)
- implement needed controls (covering organizational, technical, and physical aspects)
- continuously evaluate and improve the ISMS
When implemented well, ISO 27001 provides a cost-effective and robust basis for protection of their information, and those under their responsibility, with no more and no less than what is required.
ISO 27001 controls for protecting data in a pandemic
Considering the previously mentioned risks, the implementation of robust data protection considering controls from ISO 27001 Annex A would include:
Organizational aspects:
- These basically refer to the rules and responsibilities related to data protection and remote work, such as who can access the information, who is eligible for remote work, under which conditions, how to handle information, etc. The remote work is basically covered by the Mobile device policy (A.6.2.1) and Teleworking (A.6.2.1) controls, while data protection is covered by controls from section A.8.2 (Information classification), and the Identification of applicable legislation and contractual requirements (A.18.1.1) and Intellectual property rights (A.18.1.2) controls.
Additionally, organizations must also consider controls to ensure that third parties will treat data with the same level of security. For this, they should consider controls from sections A.13.2 (Information transfer) and A.15.1 (Information security in supplier relationships).
Technical aspects:
- These refer to technological implementations to ensure not only the security of data in the users’ devices, but also of the company’s data in its own infrastructure, like its servers and applications, and during communication using public networks. There is a wide range of applicable controls, like Inventory of assets (A.8.1.1), Secure log-on procedures (A.9.4.2), Policy on the use of cryptographic controls (A.10.1.1), Information backup (A.12.3.1), and Segregation in networks (A.13.1.3).
Physical aspects:
- These refer to the physical implementations to ensure that data are physically protected in the remote workplace and in the organization’s environment. These are basically covered by controls form section A.11 (Physical and environmental security).
Human resources aspects:
- These refer to the actions the company has to take to ensure that its employees, as well as relevant third parties, understand the importance of data protection and remote work, and the consequences in case of information compromise. This can be achieved by the implementation of controls such as Terms and conditions of employment (A.7.1.2), Information security awareness, education and training (A.7.2.2), and Disciplinary process (A.7.2.3).
As you can see, ISO 27001 can help cover risks in a wide range of aspects related to data protection and remote work, and the selection of proper controls is based on the risk assessment and identification of legal requirements.
Helping fight the pandemic safely as possible
To fight the pandemic is important, as is preserving people’s privacy rights. Additionally, keeping a business running is paramount, and, in both situations, it may involve keeping or sending information outside of the data custodian’s environment, increasing the risks of it being compromised.
However, such risks can be reduced to acceptable levels by applying good security practices.
ISO 27001 presents a set of security controls that can be adapted to the needs for data protection and remote work, allowing business activities and people’s privacy to be handled properly.
Remote work is a reality that is unlikely to be reversed, and fighting COVID-19 will still require access to people’s sensitive information, which brings risks, increasing the surface of vulnerabilities that can be exploited by malicious people.
In this way, it is also necessary to approach remote work also with a view of security, and for that, the ISO 27001 standard can prove to be a good basis for the protection of information.
About the Authors
Dejan Kosutic is the main ISO 27001 & ISO 22301 expert at Advisera.com, holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Author of numerous books, toolkits, tutorials and articles on ISO 27001 and ISO 22301.
Rhand Leal is an ISO 27001 expert and an author of many articles and white papers at Advisera. He holds a number of certifications, including ISO 27001, ISO 9001 Lead Auditor, CISSP, CISM, and PMP.
