ISO/IEC 27001 Control 5.14: Information transfer
Control
Information transfer rules, procedures, or agreements should be in place for all types of transfer facilities within the organization and between the organization and other parties.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint can use classifications and policy rules to limit and partially control information transfer.
Implementation Details
Policy rules can prohibit access to internal information to external users, or it may require appropriate non-disclosure agreements in place (in a form of clearance). Archetypes can be used to grant access to internal information for a broad classes of users, e.g. automatically grant access to internal information to all employees by including appropriate clearance in employee archetype. Object governance mechanism can be used to set information owners, as appropriate contacts related to information transfer. Policy rules can be used to enforce stronger levels of authentication for users that have access to internal or sensitive information. Object history mechanism can provide supplementary information during investigations of inappropriate information transfer, e.g. demonstrating that certain user has access to leaked information in the past.
Rationale
MidPoint provides added value for information transfer control, prohibiting some of several undesirable scenarios.
Documentation
Version | Title | Description |
---|---|---|
Development | Information Classification and Clearances | Description of an idea for limiting access to internal information using classification scheme |
4.8 | Information Classification and Clearances | Description of an idea for limiting access to internal information using classification scheme |
Related Features
Related Controls
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.23: Information security for use of cloud services