| ๐ผ 50 Data leakage is the unauthorised removal, copying, distribution, capturing or other types of disclosure of sensitive data that results in a loss of data confidentiality (also known as a data breach). Access to data removal methods would typically be subject to risk assessment and only granted where a valid business need exists. | | | | |
| ๐ผ 51 Controls, commensurate with the sensitivity and criticality of the data, would typically be implemented where sensitive data is at risk of leakage. Examples of data leakage methods include the misuse of portable computing devices (e.g. laptops, tablets, mobile phones), portable storage devices (e.g. USB flash drives, portable hard drives, writable disks), electronic transfer mechanisms (e.g. email, instant messaging) and hard copy. | | | | |
| ๐ผ 52 Typically, the strength of data leakage controls would be commensurate with the sensitivity of the data. | 6 | | | |
| ย ย ย ย ๐ผ 52a authorisation, registration and regular review of users and associated transfer mechanisms and devices, including printers, telephony and video conferencing equipment. Users with a greater level of access to sensitive data would be subject to increased scrutiny; | | | | |
| ย ย ย ย ๐ผ 52b appropriate blocking, filtering and monitoring of electronic transfer mechanisms, websites and printing; | | | | |
| ย ย ย ย ๐ผ 52c appropriate encryption, cleansing and auditing of devices; | | 9 | 9 | |
| ย ย ย ย ๐ผ 52d appropriate segmentation of data, based on sensitivity and access needs; | | 10 | 10 | |
| ย ย ย ย ๐ผ 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions); | | 10 | 10 | |
| ย ย ย ย ๐ผ 52f appropriate removal of sensitive data after recovery tests are concluded. | | | | |
| ๐ผ 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data. | | 10 | 10 | |