1、BSI Standards PublicationBS ISO/IEC 27038:2014Information technology Security techniques Specification for digitalredactionCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS
2、BS ISO/IEC 27038:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC27038:2014.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained
3、 on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 71489 4ICS 35.040Compliance with a Briti
4、sh Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 March 2014.Amendments issued since publicationDate Text affectedCopyright British Standards Institution Provided by IHS under license w
5、ith BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHSBS ISO/IEC 27038:2014Information technology Security techniques Specification for digital redactionTechnologies de linformation Techniques de scurit Spcifications pour la rdaction numrique ISO/I
6、EC 2014INTERNATIONAL STANDARDISO/IEC27038First edition2014-03-15Reference numberISO/IEC 27038:2014(E)Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014ISO/IEC 27038:2014(E)ii ISO/IEC 2014 All rights reservedCOPY
7、RIGHT PROTECTED DOCUMENT ISO/IEC 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written pe
8、rmission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandCopyright Briti
9、sh Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014ISO/IEC 27038:2014(E) ISO/IEC 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Terms and definitions . 13 Symbols and abbreviated terms . 24 Gener
10、al principles of digital redaction . 24.1 Introduction 24.2 Anonymization 25 Requirements 25.1 Overview 25.2 Redaction principles 36 Redaction processes . 46.1 Introduction 46.2 Paper intermediaries . 46.3 Digital image intermediaries 46.4 Simple digital redaction 46.5 Complex digital redaction 56.6
11、 Contextual information 57 Keeping records of redaction work. 68 Characteristics of software redaction tools 69 Requirements for redaction testing . 7Annex A (informative) Redacting of PDF documents 9Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy N
12、ot for ResaleNo reproduction or networking permitted without license from IHSBS ISO/IEC 27038:2014ISO/IEC 27038:2014(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. N
13、ational bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual inter
14、est. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with t
15、he rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard require
16、s approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.ISO/IEC 27038 was prepared b
17、y Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.iv ISO/IEC 2014 All rights reservedCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014ISO/IEC 27038:20
18、14(E)IntroductionSome documents can contain information that must not be disclosed to some communities. Modified documents can be released to these communities after an appropriate processing of the original document. This processing can include the removal of sections, paragraphs or sentences with,
19、 where appropriate, the mention that they have been removed. This process is called the “redaction” of the document.The digital redaction of documents is a relatively new area of document management practice, raising unique issues and potential risks. Where digital documents are redacted, removed in
20、formation must not be recoverable. Hence, care needs to be taken so that redacted information is permanently removed from the digital document (e.g. it must not be simply hidden within nondisplayable portions of the document).This International Standard specifies methods for digital redaction of dig
21、ital documents.Redaction can also involve the removal of document metadata or the removal of some information (e.g. an image) imported into the document.It can be possible to identify redacted information in a redacted digital document by context. For example, the length of the redaction replacement
22、 text can indicate the length of the redacted information, and thus the information itself. This International Standard introduces two levels of redaction: BASIC redaction where context is not taken into consideration; ENHANCED redaction where context is taken into consideration.Redaction techniques
23、 can be used for the anonymization of the information in a document, for example by the removal of some names within sentences. It can also involve the removal of numbers within sentences and their replacement by “XXX”. ISO/IEC 2014 All rights reserved vCopyright British Standards Institution Provid
24、ed by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014Information technology Security techniques Specification for digital
25、 redaction1 ScopeThis International Standard specifies characteristics of techniques for performing digital redaction on digital documents. This International Standard also specifies requirements for software redaction tools and methods of testing that digital redaction has been securely completed.T
26、his International Standard does not include the redaction of information from databases.2 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.2.1anonymizationprocess by which personally identifiable information (PII) is irreversibly altered in such a way
27、 that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other partySOURCE: ISO/IEC 29100:2011, definition 2.22.2documentrecorded information which can be treated as a unitNote 1 to entry: Documents can contain text, pi
28、ctures, video and audio content, metadata and other associated content.2.3personally identifiable informationPIIany information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principalNote 1 to entry:
29、To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural person.SOURCE: ISO/IEC 29100:2011, definition 2.92.4redactionpermanent removal of i
30、nformation within a document2.5reviewerindividual(s) who assesses a document for redaction requirementsNote 1 to entry: There could be a series of individuals who assess a particular document.INTERNATIONAL STANDARD ISO/IEC 27038:2014(E) ISO/IEC 2014 All rights reserved 1Copyright British Standards I
31、nstitution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014ISO/IEC 27038:2014(E)3 Symbols and abbreviated termsFor the purposes of this document, the following abbreviations apply.PII Personally Identifiable InformationPDF Portable Document FormatOC
32、R Optical Character RecognitionXML Extensible Markup Language4 General principles of digital redaction4.1 IntroductionRedaction is carried out in order to permanently remove particular information from a copy of a document. It should be used when, for example, one or two individual words, a sentence
33、 or paragraph, an image, a name, address and/or signature needs to be removed from a document prior to it being disclosed to individuals who are not authorized to view the removed information.The process of digital redaction is not simply to remove information but also to indicate where necessary th
34、at some information has been removed, so that the reader knows that the document has been redacted. For example, there can be a need to know that some words or some paragraphs have been deleted in order to maintain the semantics of the non-redacted information.4.2 AnonymizationAs an example, one of
35、the purposes of redaction is to remove personally identifiable information (PII) from a document (anonymization). Where such a purpose is applicable, then redaction processes shall be so designed such that the identity of the individual about whose information is being redacted is protected.It can b
36、e, for example, that even though a name has been redacted from a document, the identity of the individual is evident from the remaining information. Where anonymization is required, all information that could be used to identify the individual shall be redacted. This shall include all information th
37、at could be used in conjunction with other information (which can be obtained from other sources) to identify the individual.5 Requirements5.1 OverviewOrganizations should have the capability to identify documents that need to be redacted prior to their release to other parts of the organization or
38、to others (such as the public).Redaction should be performed or overseen by reviewers that are knowledgeable about the documents and can determine what information is to be redacted. If reviewers identifying such information do not carry out redaction themselves, their instructions shall be specific
39、 e.g. Memo dated , paragraph no, line starting and ending etc.Redaction shall be carried out on copies of the digital document. The redaction process shall result in the creation of a new digital document where complete and irreversible removal of the redacted information is achieved. This new digit
40、al document shall be managed and disposed of in the same manner as the original document.2 ISO/IEC 2014 All rights reservedCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for Resale-,-,-BS ISO/IEC 27038:2014ISO/IEC 27038:2014(E)When identifying
41、information that needs to be redacted prior to release, whole sentences or paragraphs should not be identified if only one or two words in that sentence or paragraph are to be redacted, unless the release would enable the identification of the redacted information by context.Where necessary, informa
42、tion relating to the effect that a digital document has been redacted shall be linked with the digital document. To identify the fact that a redaction process has been undertaken, redacted information may be replaced by a sentence stating that some information has been redacted.When redaction is per
43、formed on a digital document, any metadata included within the digital document shall be reviewed for redaction requirements and appropriate redactions undertaken.Where redaction is performed on a digital document that contains images, video and/or voice information, redaction techniques that remove
44、 the necessary information shall be used.5.2 Redaction principlesThe redaction of digital documents shall be carried out in accordance with the following principles: Retention of digital original documentThe original or master version of a digital document shall not be redacted redaction shall be ca
45、rried out on a copy of the digital document. Original digital documents (e.g. the un-redacted document) shall be retained and be accessible only to those authorized. Complete removal of redacted informationRedaction shall irreversibly remove the required information from the redacted version of the
46、document. The information shall be completely removed from the digital document, not simply from the displayable content. Security evaluated redactionRedaction shall always be carried out using methods approved by the organization. Controlled environmentElectronic redaction shall be carried out in a
47、n environment that provides access only to those trained and authorized to carry out redaction. Intermediary stagesAll the redacted documents in intermediary stages of the redaction process should be deleted. Only the original digital document and the appropriately redacted version should be retaine
48、d. Where a particular digital document is to be redacted in different ways (for example for different audiences), then it may be appropriate to temporarily retain intermediate stages until all redaction processes have been completed.If there are many digital documents that can have many redactions f
49、or different reasons, and if over time some of the reasons for redaction expire, it may be necessary to create and retain over time an intermediary copy that indicates the text or objects that should be redacted and the reasons for the redaction. The information is actually redacted when the redacted copy is produced. This provi