Security Guidance Shouldn’t Be Secret

One learning point from the recent HMRC data breach is the need to de-classify security guidance. As noted by the Guardian and The Register, some Government security manuals tend to be protected data themselves. This restricts their distribution. Most of Industry de-classified their security policies and standards and placed them on their Intranets more than a decade ago. Security by obscurity no longer works when ordinary members of staff have the capability of compromising large quantities of sensitive company or customer data.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Should copyright be used to restrict the distribution? BS7799/17799/2700x might be more frequently used if published under a copyright licence allowing redistribution. And perhaps even more relevant, if derivative works were explicitly permitted, we might see more example policies derived from the standards. Other bodies such as ISACA and ISF seem to get along with allowing freely downloadable standards.
I couldn't agree more. I have to admit to having been a strong supporter of the original case for BS7799 copyright. Amongst other things, it prevented NIST from publishing the content. At the time (back in 1993) it seemed that strict control of content was more important than dissemination. I believe, with hindsight, that we got that judgement wrong.