iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC NP 27040

(Main)

Information technology — Security techniques — Storage security

Information technology — Security techniques — Storage security

Titre manque

General Information

Status
Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 4 - Security controls and services
Current Stage
5000 - FDIS registered for formal approval
Start Date
23-Jan-2023
Completion Date
03-Feb-2023
Ref Project

Relations

Revises
ISO/IEC 27040:2015 - Information technology — Security techniques — Storage security
Effective Date
23-Apr-2020

Buy Standard

ISO/IEC FDIS 27040 - Information technology — Security techniques — Storage security Released:5/14/2022ISO/IEC FDIS 27040 - Information technology — Security techniques — Storage security Released:5/14/2022
PreviousNext
Draft
ISO/IEC FDIS 27040 - Information technology — Security techniques — Storage security Released:5/14/2022
English language
93 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27040
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2022-07-11 2022-10-03
Information technology — Security techniques — Storage
security
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27040:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27040:2022(E)
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27040
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
Information technology — Security techniques — Storage
security
ICS: 35.030
COPYRIGHT PROTECTED DOCUMENT
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
© ISO/IEC 2022
THEREFORE SUBJECT TO CHANGE AND MAY
This document is circulated as received from the committee secretariat.

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

NOT BE REFERRED TO AS AN INTERNATIONAL

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on STANDARD UNTIL PUBLISHED AS SUCH.

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

IN ADDITION TO THEIR EVALUATION AS

or ISO’s member body in the country of the requester. BEING ACCEPTABLE FOR INDUSTRIAL,

TECHNOLOGICAL, COMMERCIAL AND
ISO copyright office
USER PURPOSES, DRAFT INTERNATIONAL
CP 401 • Ch. de Blandonnet 8
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
CH-1214 Vernier, Geneva
POTENTIAL TO BECOME STANDARDS TO
Phone: +41 22 749 01 11
WHICH REFERENCE MAY BE MADE IN
Reference number
Email: copyright@iso.org
NATIONAL REGULATIONS.
Website: www.iso.org ISO/IEC DIS 27040:2022(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
Published in Switzerland
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
© ISO/IEC 2022 – All rights reserved
PROVIDE SUPPORTING DOCUMENTATION. © ISO/IEC 2022
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27040:2022(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

3.1 General ........................................................................................................................................................................................................... 1

3.2 Terms relating to storage technology ................................................................................................................................ 2

3.3 Terms relating to sanitization .................................................................................................................................................. 4

3.4 Terms relating to availability .................................................................................................................................................... 5

3.5 Terms relating to security and cryptography ............................................................................................................ 5

3.6 Terms relating to archives and repositories ................................................................................................................ 6

3.7 Miscellaneous terms .......................................................................................................................................................................... 8

4 Symbols and abbreviated terms..........................................................................................................................................................8

5 Structure of this document ....................................................................................................................................................................12

5.1 Clauses ........................................................................................................................................................................................................ 12

5.2 Controls ...................................................................................................................................................................................................... 12

6 Overview and concepts ..............................................................................................................................................................................13

6.1 General ........................................................................................................................................................................................................13

6.2 Storage concepts ................................................................................................................................................................................ 13

6.3 Introduction to storage security ......................................................................................................................................... 14

6.4 Storage security risks.................................................................................................................................................................... 17

6.4.1 Background .......................................................................................................................................................................... 17

6.4.2 Data breaches ..................................................................................................................................................................... 17

6.4.3 Data corruption or destruction .......................................................................................................................... 18

6.4.4 Temporary or permanent loss of access/availability ...................................................................... 19

6.4.5 Failure to meet statutory, regulatory, or legal requirements ................................................. 19

7 Organizational controls for storage .............................................................................................................................................19

7.1 General ........................................................................................................................................................................................................ 19

7.2 Align storage and policy ......... ..................................................................................................................................................... 20

7.3 Business continuity management ...................................................................................................................................... 21

7.4 Compliance .............................................................................................................................................................................................. 22

8 People controls for storage ....................................................................................................................................................................23

9 Physical controls for storage ...............................................................................................................................................................24

9.1 General ........................................................................................................................................................................................................ 24

9.2 Physically secure storage ........................................................................................................................................................... 24

9.3 Protect physical interfaces to storage ............................................................................................................................ 25

9.4 Isolation of storage systems .................................................................................................................................................... 25

10 Technological controls for storage ................................................................................................................................................26

10.1 General ........................................................................................................................................................................................................ 26

10.2 Design and implementation of storage security .................................................................................................... 27

10.2.1 General ..................................................................................................................................................................................... 27

10.2.2 Storage security design principles .................................................................................................................. 27

10.2.3 Storage system quality attributes ...................................................................................................................29

10.2.4 Retention, preservation, and disposal of data ...................................................................................... 32

10.3 Storage systems security ........................................................................................................................................................... 32

10.3.1 System hardening ........................................................................................................................................................... 32

10.3.2 Security auditing, accounting, and monitoring ................................................................................... 33

10.3.3 Storage vulnerability management ................................................................................................................36

10.4 Storage management ........................................................................................................................................... ...........................36

10.4.1 Background ..........................................................................................................................................................................36

iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27040:2022(E)

10.4.2 Authentication and authorization .................................................................................................................... 37

10.4.3 Secure the management interfaces ................................................................................................................38

10.5 Data confidentiality.........................................................................................................................................................................40

10.5.1 General .....................................................................................................................................................................................40

10.5.2 Encryption and key management issues ................................................................................................... 41

10.5.3 Encryption of storage ................................................................................................................................................. 41

10.5.4 Encrypting transferred data ................................................................................................................................44

10.5.5 Encrypting data at rest .............................................................................................................................................. 45

10.6 Storage sanitization ........................................................................................................................................................................46

10.6.1 General .....................................................................................................................................................................................46

10.6.2 Selection of sanitization methods .................................................................................................................... 47

10.6.3 Media-based sanitization.........................................................................................................................................48

10.6.4 Logical sanitization .......................................................................................................................................................48

10.6.5 Cryptographic erase .....................................................................................................................................................49

10.6.6 Verification of storage sanitization ................................................................................................................50

10.6.7 Proof of sanitization ..................................................................................................................................................... 51

10.7 Direct Attached Storage (DAS).............................................................................................................................................. 52

10.8 Storage networking ......................................................................................................................................................................... 52

10.8.1 Background .......................................................................................................................................................................... 52

10.8.2 Storage Area Networks (SAN) ............................................................................................................................. 53

10.8.3 Network Attached Storage (NAS) protocols ...........................................................................................58

10.9 Block-based storage ........................................................................................................................................................................60

10.9.1 Fibre Channel (FC) storage ....................................................................................................................................60

10.9.2 IP storage ............................................................................................................................................................................... 61

10.10 File-based storage ............................................................................................................................................................................ 61

10.10.1 General ..................................................................................................................................................................................... 61

10.10.2 NFS-based NAS.................................................................................................................................................................. 62

10.10.3 SMB-based NAS ................................................................................................................................................................ 62

10.11 Cloud computing storage ............................................................................................................................................................63

10.11.1 Securing cloud computing storage ..................................................................................................................63

10.11.2 CDMI security ........................................................................................................................................... ..........................64

10.12 Object-based storage ......................................................................................................................................................................65

10.13 Data reductions ...................................................................................................................................................................................65

10.14 Data protection and recovery ................................................................................................................................................66

10.14.1 General .....................................................................................................................................................................................66

10.14.2 Storage backups ............................................................................................................................................................... 67

10.14.3 Storage replication......................................................................................................................................................... 67

10.14.4 Continuous data protection (CDP) ...................................................................................................................68

10.15 Data archives and repositories .............................................................................................................................................68

10.15.1 General .....................................................................................................................................................................................68

10.15.2 Data Archives .....................................................................................................................................................................68

10.15.3 Data Repositories ............................................................................................................................................................72

10.16 Virtualization ........................................................................................................................................... .............................................73

10.16.1 Storage virtualization .................................................................................................................................................73

10.16.2 Storage for virtualized systems ..........................................................................................................................74

10.17 Secure multi-tenancy ..................................................................................................................................................................... 75

10.18 Secure autonomous data movement ................................................................................................................................ 76

Annex A (informative) Storage security controls summary ...................................................................................................78

Bibliography .............................................................................................................................................................................................................................86

Index .................................................................................................................................................................................................................................................90

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27040:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

This second edition cancels and replaces the first edition (ISO/IEC 27040:2015), which has been

technically revised.
The main changes compared to the previous edition are as follows:
— Clause 1 (Scope) has been expanded to include requirements;
— the structure of the clauses is more closely aligned with ISO/IEC 27002:2022;
— requirements have been added in Clauses 7, 9, and 9.4;
— adjustments have been made as to what storage technologies are covered;
— a new controls labelling scheme has been added;

— the original Annex A, which provided guidance on sanitizing specific types of media, was removed

and text was added in Clause 9.4, recommending IEEE Std 2883 for this purpose;

— the original Annex B, which included table to help prioritize the adoption of recommendation, has

been replaced with Annex A that summarizes the requirements and guidance;

— the original Annex C, which provided tutorial oriented material, was removed and references to

appropriate materials were added to the document.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC DIS 27040:2022(E)
Introduction

This document provides implementation requirements and guidance for storage security in meeting

the requirements of an information security management system (ISMS) according to ISO/IEC 27001.

This document recommends the information security risk management approach as defined in

ISO/IEC 27005. It is up to the organization to define their approach to risk management, depending

for example on the scope of the ISMS, context of risk management, and industry sector. A number of

existing methodologies can be used under the framework described in this document to implement the

requirements of an ISMS.

This document is relevant to managers and staff concerned with information security risk management

within an organization and, where appropriate, external parties supporting such activities.

The objectives for this document are the following:
— highlight the risks arising out of potential threats and attack surfaces;
— assist organizations in better securing their data;

— provide a basis for designing, auditing, and reviewing storage security controls.

It is emphasized that ISO/IEC 27040 provides further detailed implementation requirements

and guidance on the storage security controls that are described at a basic standardized level in

ISO/IEC 27002.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27040:2022(E)
Information technology — Security techniques — Storage
security
1 Scope

This document provides detailed technical requirements and guidance on how organizations can

achieve an appropriate level of risk mitigation by employing a well-proven and consistent approach to

the planning, design, documentation, and implementation of data storage security. Storage security

applies to the protection of data both while stored in information and communications technology

(ICT) systems and while in transit across the communication links associated with storage. Storage

security includes the security of devices and media, management activities related to the devices and

media, applications and services, and controlling or monitoring user activities during the lifetime of

devices and media and after end of use or end of life.

Storage security is relevant to anyone involved in owning, operating, or using data storage devices,

media, and networks. This includes senior managers, acquirers of storage product and services, and

other non-technical managers or users, in addition to managers and administrators who have specific

responsibilities for information or storage security, storage operation, or who are responsible for an

organization’s overall security program and security policy development. It is also relevant to anyone

involved in the planning, design, and implementation of the architectural aspects of storage network

security.

This document provides an overview of storage security concepts and related definitions. It includes

requirements and guidance on the threats, design, and control aspects associated with typical storage

scenarios and storage technology areas. In addition, it provides references to other International

Standards and technical reports that address existing practices and techniques that can be applied to

storage security.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27000, Information technology — Security techniques — Information security management

systems — Overview and vocabulary

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management

systems — Requirements

ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security

controls
3 Terms and definitions
3.1 General

For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27005

and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC DIS 27040:2022(E)
— IEC Electropedia: available at https:// www .electropedia .org/
3.2 Terms relating to storage technology
3.2.1
block

unit in which data is stored (3.2.17) and retrieved on storage devices (3.2.14) and storage media (3.2.16)

3.2.2
compression
reduction in the number of bits used to represent an item of data

Note 1 to entry: For storage (3.2.12), lossless compression (i.e. compression using a technique that preserves the

entir
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC WD 27035-1(Main)
Information technology — Information security incident management — Part 1: Principles and process

This document is the foundation of the ISO/IEC 27035 series. It presents basic concepts, principles and process with key activities of information security incident management, which provide a structured approach to preparing for, detecting, reporting, assessing, and responding to incidents, and applying lessons learned. The guidance on the information security incident management process and its key activities given in this document are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    33 pages
    English language
    sale 15% off
ISO
ISO/IEC DIS 27035-2(Main)
Information technology — Information security incident management — Part 2: Guidelines to plan and prepare for incident response

This document provides guidelines to plan and prepare for incident response and to learn lessons from incident response. The guidelines are based on the “plan and prepare” and “learn lessons” phases of the information security incident management phases model presented in ISO/IEC 27035-1:2023, 5.2 and 5.6. The major points within the “plan and prepare” phase include: — information security incident management policy and commitment of top management; — information security policies, including those relating to risk management, updated at both organizational level and system, service and network levels; — information security incident management plan; — Incident Management Team (IMT) establishment; — establishing relationships and connections with internal and external organizations; — technical and other support (including organizational and operational support); — information security incident management awareness briefings and training. The “learn lessons” phase includes: — identifying areas for improvement; — identifying and making necessary improvements; — Incident Response Team (IRT) evaluation. The guidance given in this document is generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this document according to their type, size and nature of business in relation to the information security risk situation. This document is also applicable to external organizations providing information security incident management services.

  • Standard
    53 pages
    English language
    sale 15% off
  • Standard
    53 pages
    English language
    sale 15% off
ISO
ISO/IEC 24760-1:2019/Amd 1:2023(Amendment)
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1
  • Standard
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off
ISO
ISO/IEC 27559:2022(Main)
Information security, cybersecurity and privacy protection – Privacy enhancing data de-identification framework

This document provides a framework for identifying and mitigating re-identification risks and risks associated with the lifecycle of de-identified data. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller’s behalf, implementing data de-identification processes for privacy enhancing purposes.

  • Standard
    22 pages
    English language
    sale 15% off
ISO
ISO/IEC 27557:2022(Main)
Information security, cybersecurity and privacy protection — Application of ISO 31000:2018 for organizational privacy risk management

This document provides guidelines for organizational privacy risk management, extended from ISO 31000:2018. This document provides guidance to organizations for integrating risks related to the processing of personally identifiable information (PII) as part of an organizational privacy risk management programme. It distinguishes between the impact that processing PII can have on an individual with consequences for organizations (e.g. reputational damage). It also provides guidance for incorporating the following into the overall organizational risk assessment: — organizational consequences of adverse privacy impacts on individuals; and — organizational consequences of privacy events that damage the organization (e.g. by harming its reputation) without causing any adverse privacy impacts to individuals. This document assists in the implementation of a risk-based privacy program which can be integrated in the overall risk management of the organization. This document is applicable to all types and sizes of organizations processing PII or developing products and services that can be used to process PII, including public and private companies, government entities, and non-profit organizations.

  • Standard
    19 pages
    English language
    sale 15% off
ISO
ISO/IEC 27553-1:2022(Main)
Information security, cybersecurity and privacy protection — Security and privacy requirements for authentication using biometrics on mobile devices — Part 1: Local modes

This document provides high-level security and privacy requirements and recommendations for authentication using biometrics on mobile devices, including security and privacy requirements and recommendations for functional components and for communication. This document is applicable to the cases that the biometric data and derived biometric data do not leave the device, i.e. local modes.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/IEC 27005:2022(Main)
Information security, cybersecurity and privacy protection — Guidance on managing information security risks

This document provides guidance to assist organizations to: — fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks; — perform information security risk management activities, specifically information security risk assessment and treatment. This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off
ISO
ISO/IEC 27001:2022(Main)
Information security, cybersecurity and privacy protection — Information security management systems — Requirements

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    19 pages
    English language
    sale 15% off
  • Standard
    19 pages
    English language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Standard
    21 pages
    French language
    sale 15% off
  • Draft
    19 pages
    English language
    sale 15% off
  • Draft
    19 pages
    English language
    sale 15% off
  • Draft
    22 pages
    French language
    sale 15% off
ISO
ISO/IEC TR 24485:2022(Main)
Information security, cybersecurity and privacy protection — Security techniques — Security properties and best practices for test and evaluation of white box cryptography

This document introduces security properties and provides best practices on the test and evaluation of white box cryptography (WBC). WBC is a cryptographic algorithm specialized for a key or secret, but where the said key cannot be extracted. The WBC implementation can consist of plain source code for the cryptographic algorithm and/or of a device implementing the algorithm. In both cases, security functions are implemented to deter an attacker from uncovering the key or secret. Security properties consist in the secrecy of security parameters concealed within the implementation of the white box cryptography. Best practices for the test and evaluation includes mathematical and practical analyses, static and dynamic analyses, non-invasive and invasive analyses. This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (CSPs) and public security parameters (PSPs) are the assets to protect. WBC is one solution to conceal CSPs inside of the implementation.

  • Technical report
    12 pages
    English language
    sale 15% off
ISO
ISO/IEC 27556:2022(Main)
Information security, cybersecurity and privacy protection — User-centric privacy preferences management framework

This document provides a user-centric framework for handling personally identifiable information (PII), based on privacy preferences.

  • Standard
    22 pages
    English language
    sale 15% off