Security Policy Confidentiality
Some of my customers are asking for copies of some of our security policies. I mentioned that the documents were confidential but they insist on providing evidence that the policies exist. Should I give them a copy? These customers all have NDAs with my company.
Software/Hardware used:
Software/Hardware used:
ASKED:
June 22, 2011 2:48 PM
UPDATED:
June 24, 2011 3:59 PM
Answer Wiki:
You may need to have 2 sets of documents.
One for internal and one external distribution.
Customers desire for some documentation is valid, but you cannot give out anything that would compromise your overall security.
To see all answers submitted to the Answer Wiki: View Answer History.
IN MY OPINION, policies should NOT be confidential. A policy is written for others to follow and how can they follow it if it is kept confidential so noone can read what it says?
Technochic – He didn’t say ultra top secret policy, he said confidential. I would imagine that his own organisation can read through it if they have a genuine reason to.
A policy is a top level document which describes what measures will be used. It shouldn’t provide detail that could be of use to a ne’er do well
“our systems have a firewall which denies all access to everyone not on a white list”
is a policy
‘Passwords will be minimum 30 bytes, mixed case, no repeats, blahg blah ‘
is a policy
the underlying documentation which details how a techie makes changes changes to a firewall (and maybe the specifics of the authoroties needed to do it) are internal.
even with a NDA, assume anything that leaves you could become public. As a client concerned for security of my data held by a supplier I’d fire you if you didn’t reassure me that you knew what you were doing.
There is quite a bit of confusion regarding policies, procedures, standards, guidelines, etc.
My solution, while not perfect, helps differentiate these documents.
A policy states WHAT you want to do.
Example: clients will access company computers using their company assigned accounts/passwords. Passwords are to be changed on a regular basis, ranging from every 30 days to 120 days. In this manner, you are being technology neutral (not stating what platforms/hardware/etc. you will be using), or locking your self into a certain technolgy. If your platforms change, your policies will not have to be updated. This document should not present any security issues.
A procedure documents HOW the policy will be implemented. This document may be technology specific (on windows computers, passwords will be changed every 30 days, while on UNIX machines, passwords will be changed every 60 days). You may describe in detail how to logon to computers, how to change passwords, how to contact support for security issues, etc. This document may be a classified document where only company employees have access to it. If technology changes, you may need to update this information