Data Masking Process
[Insert classification]
Implementation guidance
The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.
Purpose of this document
This document defines the organization’s process for the use of data masking techniques such as anonymization and pseudonymization to protect personally identifiable information (PII)
Areas of the standard addressed
The following areas of the ISO/IEC 27001 standard are addressed by this document:
• A.5 Organizational controls
o A.5.1 Policies for information security
• A.8 Technological controls
o A.8.11 Data masking
General guidance
Data masking can be a complex activity which requires a clear understanding of the dangers of re identification of the data involved. It is important that personnel performing these activities are competent in the techniques used, including the assessment of the risk of re identification. This process document covers the main steps, but it may be useful to create a set of lower level procedures to give specifics in cases where data is regularly anonymized.
Review frequency
We would recommend that this document is reviewed annually and upon significant change to the organization and relevant legislation.
Data Masking Process
[Insert classification]
Document fields
This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.
To update this field (and any others that may exist in this document):
1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.
2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).
3. Press F9 on the keyboard to update all fields.
4. When prompted, choose the option to just update TOC page numbers.
If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.
If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.
Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.
Copyright notice
Except for any specifically identified third party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.
Licence terms
This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.
If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Data Masking Process
[Insert classification]
Disclaimer
Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.
Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.
You should take all reasonable and proper legal and other professional advice before using this document.
CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Data Masking Process
Data Masking Process
Data Masking Process
classification]
Revision history
VERSION
Distribution
Approval
Data Masking Process
[Insert classification]
Introduction
[Organization Name] collects and processes a wide variety of personally identifiable information (PII) as part of its normal business operations. In order to reduce risk both in the long term storage of this PII and in circumstances where it is shared with a third party, it may be appropriate to use data masking techniques to anonymize the information. This task must be carried out in a careful and managed way in order to reduce the chances of the data being re identified. If this were to happen, [Organization Name] may be liable to significant fines under applicable privacy legislation.
The purpose of this document is to set out a process for data masking which must be followed where the task is carried out, and to form the basis for more detailed procedures that may be created to cover specific, often regular, data masking exercises.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The following policies and procedures are relevant to this document:
• Data Masking Policy
• Privacy and Personal Data Protection Policy
• Records Retention and Protection Policy
Data Masking Process
classification]
2 Data masking process
The process of data masking is shown in Figure 1 and described in the following sections.
1 Data masking process
Data Masking Process
[Insert classification]
2.1 Understand requirements
The requirements for the intended processing of the PII involved must be fully understood before any data masking activities can be carried out. These requirements will include:
• Details of the PII, such as its source and format, for example spreadsheet or database
• Who the PII will be released to, particularly whether it will be to the public, or to a specified number of people or organizations
• The specific data attributes that are of interest to the recipient of the data
• How the PII will be processed and the types of analysis to be carried out
• The sensitivity of the PII and the degree of risk associated with re identification of the data
This information will be used to guide further steps of the process and to allow a re identification risk threshold to be determined. This threshold must take into account the sensitivity of the data and will be used to assess when sufficient anonymization has been completed.
2.2 Analyse data attributes
The PII dataset must be analysed to determine which of the attributes within it are direct or indirect identifiers and so could show who the PII principal is. A direct identifier is an attribute which is explicitly related to the PII principal and can on its own identify them. An indirect identifier is an attribute which could be used to identify the PII principal when combined with other information.
Attributes that are not required for the specific processing involved must be removed in order to minimise the data provided. This is often referred to as attribute suppression. This will allow attention to be focused on those attributes which require data masking.
2.3 Perform anonymization
The anonymization of attributes that are direct or indirect identifiers may then be carried out. There are a number of techniques that may be used depending on the purpose of the processing for which the PII is being provided. The process of anonymization must not result in a dataset that cannot produce the results that are required, for example replacing an age with an age range if the objective of the processing is to be very age specific.
The following techniques may be used according to best practice and where appropriate, supported by software tools. Note that additional techniques exist which may also be appropriate and are not listed here.
Data Masking Process
classification]
2.3.1 Record suppression
This technique involves the removal of complete records that are not required for the purpose of the processing, for example people who are not within the age range of interest to the recipient. It may also be appropriate to remove “outlier” records which are unusual in their content and so may lead to re identification.
2.3.2 Character masking
Masking of characters within data may be performed, for example account numbers as 1234xxxx, or credit card numbers according to PCI DSS (Payment Card Industry Data Security Standard) requirements. Issues such as whether the original length of the data attribute will be preserved must be considered.
2.3.3
Pseudonymization
Pseudonymization involves replacing a data attribute value with a different piece of data that does not identify the PII principal, for example replacing a name with a number. This is different to anonymization because the ability to re identify a PII principal is preserved through the use of a reference file which maps the original data to the pseudonym. In most circumstances the reference file will not be provided to a recipient with the amended dataset, resulting in a file that has been anonymized as far as the recipient is concerned. If this technique is used, the relevant reference file must be protected appropriately, as it provides an easy method of re identification of the data.
In applying this technique, care must be taken that the replacement of data attributes is not performed according to a discernible pattern which would allow records to be recognised based on their order in the file.
2.3.4 Generalisation
Data attributes may be generalised by replacing specific values with a range, for example an age of 26 with an age range of 20 30. This makes the data less precise and must be used based on a clear understanding of the intended purpose of the resulting dataset. Care must be taken in the choice of ranges to be used so that they maintain the usefulness of the data.
2.3.5 Aggregation
Where specific records are not required, it may be appropriate to aggregate them into a summary, for example using sums or averages. Where summarised ranges are used, care
Data Masking Process
[Insert classification]
must be taken to ensure that ranges contain sufficient records to disguise the source of the data, for example avoiding a range with a single entry which may allow recognition of the PII principal involved.
2.4 Assess re-identification risk
Once initial data masking activities have been completed, an assessment must be carried out to determine whether the degree of anonymization achieved so far meets the re identification risk threshold set at the start of the exercise. If so, the process may move to the next step but if this is not the case then further anonymization techniques may need to be used.
There are a number of common methods used to measure the risk of re identification, including k anonymity and differential privacy, and an explanation of these is outside the scope of this process document.
2.5 Set controls
Once sufficient anonymization has been carried out to meet the re identification risk threshold, additional controls must be considered to accompany the dataset, where the data masking is of internally held information, these controls may already be in place, but a review of these is still warranted. For PII that is to be shared externally, an agreement must be reached with the recipient of the data concerning the controls that will be applied. The specific controls will depend on the circumstances of the transfer but may include:
• Access control limiting the people who have access to the PII within the recipient organization, often using file permissions or an encryption key or password. If online access is managed by [Organization Name], for example using a portal, then a greater level of control may be applied, including taking access away if necessary
• Restricting the type of access rather than providing the full dataset, query only access may be granted to the third party, where only the results of (potentially limited) queries are displayed
• Physical controls limiting the locations where the data may be accessed from, along with monitoring controls such as CCTV, no use of cameras or removable storage
• Use of digital rights management controls additional controls may be placed on the files provided which are managed from a central point, including an inability to print or save the file
Where controls are to be applied by the recipient of the data, a written agreement must be obtained.
Data Masking Process
[Insert classification]
2.6 Documentation
It is important that the methods used to anonymize the data are documented, along with the results of risk assessments and any encryption keys that have been used. This information must be stored securely as it could be used to re identify the data at a later time.
Documentation may be required during audits or as part of an investigation if there has been a successful attack on the data.
2.7 Review and audit
Data masking exercises must be reviewed by management at an appropriate frequency in line with the potential sensitivity of the data involved. These reviews must consider:
• Whether any third parties involved are providing the agreed level of protection for the data, including applying the controls identified when the PII was provided
• If any additional risks to the re identification of the data have arisen, such as the availability of related data which could allow the re identification of individuals
• The continuing suitability of the anonymization techniques used, and the degree to which they were applied
The above considerations may also be reviewed as part of an audit programme which will provide an independent view of data masking activities.