Annex A 5.14 - Information Transfer

Title of Control: Information Transfer

Introduction (what is it?): This control emphasizes the establishment of rules, procedures, or agreements for transferring information within the organization and between the organization and external parties. It ensures the security of information during transit, aiming to prevent unauthorized access, interception, and modification.

What is the purpose of it? The purpose of this control is to maintain the security of information during its transfer within the organization and with external parties. By implementing information transfer rules, procedures, or agreements, the organization ensures that sensitive information remains protected while being shared or transmitted.

What are the benefits of meeting these requirements? Meeting these requirements offers several benefits:

• Data Security: Information transfer procedures safeguard the confidentiality, integrity, and availability of data during transit.

• Effective Communication: Clearly defined rules and agreements facilitate smooth and secure information exchange within the organization and with external parties.

• Compliance: Ensuring that transfer procedures align with classification schemes, legal requirements, and best practices contributes to regulatory compliance.

• Traceability: Maintaining a chain of custody and non-repudiation mechanisms aids in tracing information and holding parties accountable.

• Risk Reduction: Adequate controls and authentication mechanisms reduce the risk of unauthorized access, interception, and data loss during transfer.

How difficult is this control to meet? Implementing information transfer rules and procedures can vary in difficulty depending on the complexity of the organization's operations and the nature of information shared. While setting up these controls may require careful planning and coordination, they are critical for secure information sharing.

What are the sub-requirements?

1. Develop and communicate a topic-specific policy on information transfer to relevant interested parties.

2. Align rules, procedures, and agreements with the organization's information classification scheme (5.12).

3. Establish transfer agreements, including recipient authentication, when sharing information with third parties.

4. Consider electronic transfer, physical storage media transfer, and verbal transfer in the information transfer procedures.

5. Apply controls to protect information from interception, unauthorized access, modification, and denial of service during transit.

6. Maintain a chain of custody for information in transit to ensure traceability and non-repudiation.

7. Identify contacts responsible for transfer, including information owners, risk owners, security officers, and custodians.

8. Define responsibilities and liabilities in case of information security incidents during transfer.

9. Use an agreed labelling system for sensitive or critical information to ensure appropriate protection (see 5.13).

10. Ensure reliability, availability, and retention guidelines for transfer services.

11. Include guidelines from the topic-specific policy on acceptable use of information transfer facilities (see 5.10).

12. Address legal, statutory, regulatory, and contractual requirements related to information transfer.

13. For electronic transfer, consider protection against malware, sending sensitive electronic information as attachments, and preventing misaddressing.

14. Obtain approvals for using external public services for information transfer.

15. Strengthen authentication for information transfer via publicly accessible networks.

16. Set restrictions on electronic communication facilities to prevent unauthorized forwarding and guide usage.

17. Advise against sending critical information via SMS, instant messages, or unsecured fax.

18. Educate personnel and interested parties about the problems associated with using fax machines or services.

19. Establish responsibilities for controlling, notifying, and verifying transmission, dispatch, and receipt of physical storage media.

20. Ensure proper packaging to protect storage media from physical damage during transit.

21. Maintain a list of authorized and reliable couriers, along with courier identification standards.

22. Use tamper-evident or tamper-resistant controls for transporting storage media based on the classification level.

23. Verify courier identification and maintain logs of content, protection measures, recipients, and transfer times.

24. Provide reminders and guidelines for protecting sensitive verbal conversations from unauthorized access.

25. Implement appropriate room controls and disclaimers for sensitive verbal conversations.

Other information:

• Information transfer can occur through electronic, physical, or verbal means, and proper controls need to address each method.

• Information transfer is essential for effective communication within the organization and with external parties.

• Compliance with legal and regulatory requirements is crucial when developing information transfer rules and procedures.

• Implementing strong authentication and encryption mechanisms enhances the security of electronic transfers.

• Proper labelling of sensitive information aids in secure and appropriate handling during transfer.

• Training and awareness initiatives help personnel and interested parties understand the risks and best practices associated with different types of information transfer.