Managing ISO/IEC 27001 Data Standards with Streamdal
The data compliance features of Streamdal are currently in beta, and being tested with a select group of contributors, companies, and design partners. If you would like to participate in the beta, please reach out to us.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) collaborate to establish a unified global system for standards. ISO/IEC 27001 sets forth guidelines for organizations on managing risks related to information security, encompassing directives, processes, and employee education.
Streamdal can enforce data handling policies, and help ensure data is in compliance with this international standard.
Streamdal’s Approach
You can leverage Streamdal for:
Data Protection: The Streamdal SDK can ensure that only data that strictly adheres to required forms ends up in restful locations. You can set up rules and pipelines from the Console UI that data must pass - in real-time - in order to continue through your systems.
Data Threat Intelligence & Data Vulnerability Management: The Data Graph can serve as an overview for understanding and collecting information on anomalous activity in your data.
You can respond to data threats in real-time by hot swapping more rigorous pipeline and alerting or rejecting data that does not meet standards, such as PII handling or cryptographic requirements.
Data Masking and Data Policy Enforcement: Because the SDK executes your rules and pipelines before data can be produced or consumed, you will be able to mask, obfuscate, and otherwise enforce PII handling policies before it moves through your system - and every step afterward as needed.
Coming Soon: A visual guide on setting up ISO/IEC 27001-specific rules in the Console UI.
Regulatory Insights
We wanted to make researching the relevant data regulations easier and give a better idea of where Streamdal could be the most impactful for your organization. In most cases, the combination of the observability and data governance capabilities will ensure successful compliance.
While more sections could be applicable, below are many sections taken from the Annex A of ISO 27001:20221 along with how Streamdal can help with data standards:
| § Sections | How Streamdal helps comply |
|---|---|
| 5.36 Compliance with policies, rules and standards for information security | Along with rules and pipelines that can be created in the Console UI, custom functions can be written to enforce policies on data for the utmost granular and “topic-specific” security policies. |
| 5.7 Threat intelligence | The Data Graph can serve as an overview of all your data operations in real time. You’ll be able to monitor the flow of real-time data, gaining a greater understanding of vulnerabilities and where to attach stricter rules to data. |
| 5.8 Information security in project management | By requiring the Streamdal SDK to be instrumented for new products and services, you’ll always have an up-to-date Data Graph to enforce your data security policies. Instrumentation should become exponentially easier once there are Streamdal libraries/shims available. |
| 5.9 Inventory of information and other associated assets | The Data Graph in the Console UI provides always up-to-date view of all your data handling assets. Ensuring the Process() method is weaved into code where data production or consumption takes place guarantees no maintenance is required for the Data Graph view. |
| 5.10 Acceptable use of information and other associated assets | Rules can be established and attached to any service that handles data. Streamdal rules and pipelines can be a part of the required documentation, and the defacto data policy enforcement mechanism. |
| 5.14 Information transfer | If it moves, Streamdal will govern it. Regardless of the sources and destinations of data, establishing rules and pipelines for data will ensure consistency, quality, and policy adherence. |
| 5.28 Collection of evidence | Along with the ability to monitor and alert on anomalous activity, the Data Graph will provide a new window into the flow of data to help collect evidence. Using Tail, you can tap directly into real-time data to understand what is happening with data in your code. |
| 5.33 Protection of records | Streamdal is like a firewall for your data. The combination of establishing rules, using Tail to verify data is valid and that policies are enforced, and monitoring for anomalous activity will help protect your data and minimize your risks in the event of a breach. |
| 5.34 Privacy and protection of personal identifiable information (PII) | The Streamdal SDK will add rich PII handling capabilities to the flow of your data. With rules, you can ensure PII is handled and protected in real-time before it reaches it’s destination. |
| 5.36 Compliance with policies, rules, and standards for information security | Once rules and pipelines are established in the Console UI, they can be reused indefinitely and attached to any producer or consumer to ensure compliance with policies. |
| 8.6 Capacity management | The metrics available on the data graph and exposed Prometheus metrics will provide greater and more granular information for capacity management. |
| 8.8 Management of technical vulnerabilities | The combination of the Data Graph and using Tail will ensure there are no blind spots in the flow of your data. Tail lets you tap into real-time data to give observability and help refine the data policies you enforce through rules and pipelines. These two tools will help detect and mitigate data vulnerabilities. |
| 8.10 Information deletion | While Streamdal cannot ensure data is deleted, rules can be established on time-series or other specific fields of data to ensure it is not re-introduced into critical environments. |
| 8.11 Data masking | There are many default rules to select from in the Console UI to create data masking pipelines. The Streamdal SDK will ensure data is handled and masked as it is produced and consumed. |
| 8.16 Monitoring activities | From the Console UI, you can set up monitors and alerts of anomalous activity. |
| 8.24 Use of cryptography | Streamdal does not encrypt data. However, if you have data that is expected to be encrypted, rules can be set up to alert on or reject data that does not meet cryptographic requirements. |
Did you know:
ISO/IEC 27001 requirements on monitoring also dictate applications to be monitored for anomalous behavior?
Footnotes
-
International Organization for Standardization. (2022). ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection - Information security management systems - Requirements [Annex A, Information security controls reference: 5.36, 5.7, 5.8, 5.9, 5.10, 5.14, 5.28, 5.33, 5.34, 5.36, 8.6, 8.8, 8.10, 8.11, 8.16, 8.24]. https://www.iso.org/standard/27001
The link in the above reference does not provide direct access to the full document due to copyright restrictions. You may find it more useful to explore the referenced sections from the Annex A tables at isms.online. ↩