ISO/IEC 27040 — Information technology — Security techniques — Storage security (DRAFT)
The proposers of this standard felt that the information security aspects of data storage systems and infrastructures have been neglected due to misconceptions and limited familiarity with the storage technology, or in the case of storage managers and administrators, a limited understanding of the inherent risks or basic security concepts.
As they put it in the New Work Item Proposal:
“Storage has matured in an environment where security has been a secondary concern due to its historical reliance on isolated connectivity, exotic technologies, and physical security of the data centers. Even as storage connectivity evolved to use technologies like the Internet Small Computer Systems Interface (iSCSI) protocol over TCP/IP, few users took advantage of either the inherent security mechanisms or the recommend security measures (e.g., using IPsec to secure the communications).”
Consequently stored information is needlessly placed at risk.
Scope and purpose
The standard will help the purchasers and users of computer storage technologies determine and treat the associated information security risks. The scope covers: “... the security of devices and media, security of management activities related to the devices and media, applications/services, and end-users, in addition to security of the information being transferred across the communication links associated with storage.”
The standard aims to:
Draw attention to common information security risks associated with protecting the confidentiality, integrity and availability of information on storage technologies;
Encourage organizations to improve their protection of stored information using suitable information security controls; and
Improve assurance, for example facilitate reviews or audits of the information security controls protecting data storage.
The information security issues associated with backup/disaster recovery locations and cloud storage will be covered, as well as those associated with primary/local storage on a variety of data storage technologies, media and subsystems (e.g. SAN, NAS and CAS).
Media sanitization (destruction of data on various types of storage media) will also be covered.
The draft standard outlines information security risks associated with data storage, implying that the controls it then recommends may explicitly address the identified risks. It mentions a number of specific storage technologies which is unusual for the ISO27k standards that are usually more generic and hence timeless.
I am pleased to note that ‘resilience’ is covered in the draft standard - an important concept that is conspicuously absent from ISO/IEC 27002.
Status of the standard
Along with other comments, a substantial contribution from the US standards body was integrated into the draft standard. The 1st CD is available to SC27.
The standard remains on track for release in 2013.