What is ISO 27038?
ISO/IEC 27038 outlines the features of digital redaction approaches. ISO 27038, released in 2014, also defines criteria for software redaction tools and for completing testing procedures securely.
Sometimes, you may have to disclose information to third parties, or even to the public, for purposes such as disclosure of official records under Free Access Law or as evidence in legal matters or court proceedings. However, ISO 27038 does not provide data database revision. Databases count as ‘units of recorded information,’ but they are expressly exempt from the standard’s scope.
What is digital redaction?
Redaction is the method of removing material from a document before release. In the legal context, the use of redaction is to delete sensitive, proprietary or protected information from records before filing with the court, or otherwise, make it available for viewing outside the office. An organisation can also use redaction to delete metadata or material (e.g. images) imported into a document.
ISO 27038 describes redaction as the permanent removal of information inside a document where the document is officially defined as recorded information and considered as a unit. Definitions are essential since these words also mean other things in other contexts and general use. Later in the standard, redaction is extended to include not only removing sensitive information but also showing where the removed material is if required.
When considered unacceptable to reveal sensitive details inside a document, the organisation must safely delete the information before publication. Examples of this include the names or locations of individuals that must stay anonymous and various other personal or proprietary records that must remain strictly confidential.
Considering redaction is typically vital in protecting highly sensitive information. Errors in the process leading to unauthorised disclosure of data are serious. Redaction deficiencies led to events such as identity theft, exposure of sensitive security concerns, violations of privacy and, in some extreme cases, exposing the identity of undercover agents and informants. In contrast, disclosure of trade secrets may be highly costly in a commercial context. To those considered liable, at least, redaction errors can be humiliating
What are the information security risks associated with digital redaction?
There are several data security risks related to digital redaction. One of these threats is the failure to make the redacted information irreversible. This may be due to a variety of factors, such as neglecting to rewrite sensitive data or removing sensitive information only in part. By leaving the data remnants, it can enable redacted information to be retrieved. The use of incorrect or inadequate technological redaction methods, such as the unsubtle alteration of records, also poses data risks. Rather than permanently removing sensitive data, using techniques which can be or otherwise reversed, defeats the purpose of redacting the sensitive information as it can still be discovered.
Another vulnerability involving redaction is over-reliance on retouching, pixelating or using other similar techniques of obfuscation to mask sections of images. These techniques are often used to protect personal privacy. By using deconvolution and different, less sophisticated transformation approaches, enough of the original information can be restored to allow recognition. But in the other extreme, excessive or improper editing may also increase the security risk for an organisation. Removing more than just particular sensitive things that were supposed to have been written or done so clumsily could unintentionally change the meaning of the residual data as a consequence of contextual issues.
Incorrectly rewriting information may lead to leakage or an unintentional breach of data. Examples of this behaviour include:
- Failure to correctly specify all confidential data that needs to be redacted
- Mistakenly leaving any versions of the personal data wholly or partly exposed
- Inability to differentiate all redacted data against non-redacted information
- Leaving ample data in the file to allow recipients to deduce sensitive data
An over-reliance on redaction may also pose an information security risk. Believing that it is sufficient to keep sensitive data fully confidential under all cases, while technological and process errors are inevitable and accidents often occur. Conversely, putting zero dependencies on writing, thinking that it is incapable of defending sensitive information, can also increase your risk.
Redaction may also contribute to information security problems that are unintentional or peripheral to the process itself. Instances of this are:
- Sending the original files, the editing notes, the unedited contents or even the unedited documents to the incorrect recipients.
- Disclosure of unwritten versions of the file, both at the same time and by the same method of disclosure or separately.
- Exposing or leaking unreleased documents without authorisation.
- Disclosure, unintentionally or knowingly, of redacted data by other than the release of digital information.
These instances can cause harm to the credibility of an organisation or the initial unwritten files.
How does ISO 27038 mitigate these risks?
Although the ISO 27038 standard has a limited scope, the risks it addresses are significant, and many of the controls are technically as well as procedurally sophisticated. Like other ISO27k standards, ISO 27038 does not seek to cover in-depth all the vagaries of the editorial process but offers sound generic and high-level guidance.
What are the benefits of digital redaction?
Digital redaction technology has been around for many years now to revise confidential text from any document in PDF format electronically. A variety of software programmes have this feature. Despite this and as organisations are creating and transmitting a growing amount of digitally produced documents, some are still using manual paper redaction methods.
In many cases, this involves printing a document, manually removing confidential information with ink or tape, photocopying the record, and then downloading the document back to the system. With these tools available, why are some companies still using manual redaction?
Some companies are not aware that redaction technologies exist because they’ve been too busy to keep updated with technical developments. Some companies believe they don’t have time to explore their application options, so they keep doing what they’re used to doing. Other companies assume that the software is inaccurate and that written knowledge and metadata would somehow be uncoverable and increase their risk appetite. Whereas others are aware of this software, but they don’t think they can afford it.
The resulting redactions are more accurate because they do not rely on human beings to locate sensitive and privileged information. Digital redactions are usually quicker than manually editing a text.
It’s easier to label and erase text with simple mouse strokes than to put tape or black ink covering classified data. They can change hundreds of pages of writing in a fraction of the time required to rewrite the same amount manually.
As well as this, digital redaction is a substantial cost-saving method. It saves money from a firm in resources and in staff time. Instead of wasting hours performing a very administrative job, digital redaction can free workers up to perform more substantive work.
In several ways, this digital process is superior to any paper procedure. Digital editing is much more effective. Since all PDF applications with a Redaction feature have search capabilities, users can search for sensitive details, such as account numbers, and particular phrases.
Who can implement ISO 27038?
ISO 27038 applies to every organisation exchanging sensitive information externally. For example, when sharing an information security policy outside the company, any confidential information that it contains should be redacted before release. The standard incorporates two editorial levels:
- Basic redaction — context isn’t considered
- Enhanced redaction — context is considered
This distinction makes ISO 27038 crucial to many organisations in all sectors.
Demonstrating Good Practice for ISO 27038
Whereas the ISO specification guidelines usually use “shall” solely to denote mandatory conditions, ISO 27038 often uses “should” in places and offers clarification above and beyond the formal specifications. In practice, this makes it easier for users to grasp and implement the standard, but more challenging to verify and enforce compliance, if ever anticipated.
The standard, however, doesn’t say anything about the overall management of the redaction process. Instead, ISO 27038 defines what needs to be written, why, how and by whom, or assessing and how to handle risks in a given redaction situation. The standard also discusses security measures that need to be applied to or connected with the process, for example preventing the improper release or clarification of unwritten contents.
ISO/IEC 27038 requirements
ISO 27038 is composed of 9 clauses and one annex.
Clause 1: Scope
Clause 2: Terms and definitions
Clause 3: Symbols and abbreviated terms
Clause 4: General principles of digital redaction
- 4.1 Introduction
- 4.2 Anonymization
Clause 5: Requirements
- 5.1 Overview
- 5.2 Redaction principles
- 6.1 Introduction
- 6.2 Paper intermediaries
- 6.3 Digital image intermediaries
- 6.4 Simple digital redaction
- 6.5 Complex digital redaction
- 6.6 Contextual information
Clause 7: Keeping records of redaction work
Clause 8: Characteristics of software redaction tools
Clause 9: Requirements for redaction testing
Annex A: Redacting of PDF documents