Despite a million other priorities, I try hard to keep up with developments on the ISO27k standards and to contribute to standards in areas where I have both the experience/skills and the interest/drive to overcome the inevitable inertia and conservatism of an international standards body. One of the standards projects that caught my imagination back in January 2011 has been quietly developing a specification for redacting digital documents. ISO/IEC 27038 is nearly complete and should hit the streets within a few months.
While I appreciate the ISO committee's desire to contain the scope and publish something in a realistic timeframe, I'm disappointed that the first release of ISO/IEC 27038 will not cover redaction of sensitive content other than in 'digital documents'. For example, sensitive content often needs to be redacted from official census data before being released to the general public: is that a ‘database’ or a ‘digital document’? Redaction of standalone audio and video recordings (such as CCTV recordings of crime suspects and telephone recordings of emergency calls by informants) and digital data streams (such as all that juicy information flowing between government departments and agencies, both domestically and internationally) may technically be considered out of scope of the standard, although similar risks and security considerations apply.
Furthermore, the published standard won't say much about the governance or overall management of the redaction process (e.g. identifying what has to be redacted, why, how and by whom, nor about analyzing and treating the risks in a given redaction situation), nor on the security controls that perhaps ought to be applied to/associated with the process (e.g. to prevent the inappropriate release of unredacted content or explicit redaction instructions).
I spot the opportunity here for another collaborative community project to develop implementation guidance that will supplement and extend the actual standard. Please email me directly or bring this up on the ISO27k Forum or CISSPforum if you support the suggestion, especially if you are prepared to muck-in and help out with the writing over the next few months. It's all very well coming up with bright ideas but it takes effort to write stuff that others will value enough to use. If the idea takes off, we'll incorporate the finished guideline in the free ISO27k Toolkit under a Creative Commons license and, who knows, one day it may lead to a more comprehensive version of ISO/IEC 27038 or an associated guideline standard. Meanwhile, I'll carry on with those other priorities!
Follow-up Dec 1st: this has had a zero response, not a sausage, so I guess nobody's interested in the idea. Fair enough. I'll get my coat ...
No comments:
Post a Comment
The floor is yours ...