Controlling how sensitive information is exchanged with third parties, such as clients and suppliers, is, in my experience, an area often overlooked in enterprise security policies.
A clear, well-communicated policy covering how employees and partners communicate will enhance protection from data leakage.
Few organisations have a formal information exchange policy or agreements with partners to protect information once it leaves the safety of their internal network via the numerous possible communication channels. Too often, decisions such as whether to encrypt confidential information sent via email are left up to the individual rather than being based on a company-wide policy. Posting or emailing reports, off-site meetings and conference calls are just some of the many ways organisations exchange information, and a clearly stated and implemented policy is essential to protect these exchanges.
The information security standard ISO/IEC 27001 recognises the importance of securing exchanges of information, and the objective of section 10.8 is “to maintain the security of information and software exchanged within an organisation and with any external entity.”
Within section 10.8, control A.10.8.1 requires that “Formal exchange policies, procedures and controls should be in place to protect the exchange of information through the use of all types of communication facilities,” while control A.10.8.2 states, “Agreements should be established for the exchange of information and software between the organisation and external parties.”
An information sharing policy needs to cover all methods of modern communication, such as email, SMS, instant messaging and Twitter and video communications, as well as the more traditional methods of voice, fax and paper document. It should take into account any relevant legislation, such as the Data Protection Act. The areas that will need covering in any agreement on information sharing with third parties include:
- Responsibilities for dispatch and receipt
- Packaging and encryption standards
- Courier and media format standards
- Copyright and ownership
The extent of the security controls required to protect the information being exchanged will depend on its sensitivity, but the controls should reflect the information classification policies of the parties involved. Therefore, the first task is to agree on how information is to be classified and labelled, as there are likely to be variations among different organisations' internal policies. Also important to note is that controls that provide evidence of wrongdoing can help with the enforcement of disciplinary processes, and every organisation should have disciplinary procedures in place that employees are aware of.
For completeness, the classification policy should also state who or which categories of staff, contractors and partners are allowed to access the information and the locations from which it can be accessed, as well as which information cannot be exchanged. Copyright and legal ownership should be assigned to all information being exchanged.
Next, appropriate handling procedures for each classification and each communication channel need to be agreed upon. Handling procedures will be needed for voice, video, paper and various digital exchanges, including notification procedures so both sides know when information has been despatched or received. Confidential faxes, for example, should require the sender to phone ahead to alert the intended recipient the fax is about to be sent, so they can retrieve it directly from the fax machine.
Plaintext emails should be considered no more secure than a postcard. While it is often difficult in real life to get clients and suppliers to use digital certificates to encrypt emails, a possible alternative is to use a file compression program that supports strong encryption to encrypt files and correspondence before sending it electronically.
Face-to-face and phone conversations can easily be overheard, whether in an open-plan office, coffee shop or on the train, so confidential information should never be discussed other than from secure locations. Highly secret discussions should only take place in soundproofed rooms that have been swept for bugging devices. Your policy should also cover the use of message services, as messages left on answering machines can be overheard or easily replayed if mailboxes aren't properly password protected.
Video conferencing is a great time and money saver but ideally should be conducted in a dedicated video conferencing room. This has the advantage of keeping video conferencing equipment secure in a lockable space and makes it easier to control access to the interfaces of any equipment. Any rules and restrictions should be displayed clearly in any conference room.
Paper documents can go astray accidentally or deliberately during distribution, photocopying, printing or faxing. The main risks with faxes are misdialling or the fax being picked up from the machine by someone other than the intended recipient. In fact, faxes should be regarded very much like plaintext emails, as control over who sees them is lost once they are sent. Depending on the nature of your business, you may need to create a safe-haven fax machine to avoid faxes being transmitted to a centralised machine accessible by all employees.
Fax machines should be regularly checked to ensure speed dial numbers are correct, and anyone sending a fax should check to ensure he or she is using the correct stored number or has correctly dialled the intended number. Most faxes now cache pages in memory, and these should be cleared out on a regular basis, too. Staff must be forbidden from leaving documents unattended while they’re being transmitted, and they must not leave documents in the fax. Sensitive documents should not be printed to, or left on widely accessible printers, either.
When it comes to sending physical documents, a list of authorised and trusted couriers should be compiled, and there should be an agreed upon method of identifying the courier on arrival. Particularly sensitive information may require additional physical protection, such as a strong box or tamper-evident packaging.
Your information exchange policy will also need to cover or reference the relevant policies and procedures that each organisation has in order to protect data at rest, such as antimalware controls and guidelines for the retention and disposal of information. It is no use ensuring data is exchanged securely only for it to be compromised at its destination. That is why it is vital that someone at each organisation involved is made responsible for the information being exchanged, and he or she maintains an inventory of what is sent and received.
A clear, well-communicated policy covering how employees and partners communicate will enhance protection from data leakage. Its procedures for handling and exchanging information will need to be reviewed regularly as new partners and projects come along to ensure they remain as practicable as possible.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in July 2011