Security Policy Confidentiality

10 pts.
Open IT Forum
Security management
Security policy
Some of my customers are asking for copies of some of our security policies. I mentioned that the documents were confidential but they insist on providing evidence that the policies exist. Should I give them a copy? These customers all have NDAs with my company.

Answer Wiki

Thanks. We'll let you know when a new response is added.

You may need to have 2 sets of documents.
One for internal and one external distribution.
Customers desire for some documentation is valid, but you cannot give out anything that would compromise your overall security.

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Technochic
    IN MY OPINION, policies should NOT be confidential. A policy is written for others to follow and how can they follow it if it is kept confidential so noone can read what it says?
    57,010 pointsBadges:
  • ErroneousGiant
    Technochic - He didn't say ultra top secret policy, he said confidential. I would imagine that his own organisation can read through it if they have a genuine reason to.
    3,120 pointsBadges:
  • Yorkshireman
    A policy is a top level document which describes what measures will be used. It shouldn't provide detail that could be of use to a ne'er do well "our systems have a firewall which denies all access to everyone not on a white list" is a policy 'Passwords will be minimum 30 bytes, mixed case, no repeats, blahg blah ' is a policy the underlying documentation which details how a techie makes changes changes to a firewall (and maybe the specifics of the authoroties needed to do it) are internal. even with a NDA, assume anything that leaves you could become public. As a client concerned for security of my data held by a supplier I'd fire you if you didn't reassure me that you knew what you were doing.
    6,085 pointsBadges:
  • Sunsetrider
    There is quite a bit of confusion regarding policies, procedures, standards, guidelines, etc. My solution, while not perfect, helps differentiate these documents. A policy states WHAT you want to do. Example: clients will access company computers using their company assigned accounts/passwords. Passwords are to be changed on a regular basis, ranging from every 30 days to 120 days. In this manner, you are being technology neutral (not stating what platforms/hardware/etc. you will be using), or locking your self into a certain technolgy. If your platforms change, your policies will not have to be updated. This document should not present any security issues. A procedure documents HOW the policy will be implemented. This document may be technology specific (on windows computers, passwords will be changed every 30 days, while on UNIX machines, passwords will be changed every 60 days). You may describe in detail how to logon to computers, how to change passwords, how to contact support for security issues, etc. This document may be a classified document where only company employees have access to it. If technology changes, you may need to update this information
    860 pointsBadges:
  • Featured Member: Sunsetrider - ITKE Community Blog
    [...] Security Policy Confidentiality [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: