Re: releasing confidential docs

Rodo wrote:
have a question. I have a potential client asking for Security
documents from my company. They include, IT Org chart, Information
Security Policy, Data Classification Policy, Data Retention Policy,
Data Destruction Policy, Risk Assessment Standard, System Backup
Policy, Business Continuity Plan Summary, Disaster Recovery Plan
Summary. In your opinion, does releasing this info make for a
security violation? Would signing of Non-Disclosure be enuf to
protect my company?

Do they need to see the actual documents, or are they simply after proper
reassurance that you actually have them yourselves? Keep in mind that if
they become clients they will be entrusting part of their business to you. I
don't ask to read other peoples documentation myself (I've got plenty of my
own to read and write) but if I were entering into a deal with a vendor
whereby they had access to some of the information my business relied on, I
would want to know they were competent to handle that information.

Anyway, on to your questions.

My opinion (or anyone else here) on whether or not it is a security
violation isn't relevant. You need to ask whoever sets security policy for
your company. Or at the very least, your boss.

Having said that, I would be uncomfortable releasing internal documentation
on those processes if I were writing your security policies. But I'd also
recognise the need to reassure clients so I'd have 'public' versions of the
documents available for those that needed them.

My opinion (or anyone else here) on whether or not a NDA would protect your
company isn't relevant. You need to take advice from your local corporate
counsel, as the issues you need to worry about are the laws where you are
(e.g. is a NDA worth the paper it is written on, what clauses can it
contain, etc), and how your company handles such things.

Remember that a NDA isn't some kind of mighty morphing power ranger that
springs to life and kills anyone that releases information, it's a bit of
paper that might give you an advantage in a court case about how such
information got released. Maybe. In the meantime, how valuable was that

Having said that, my opinion is that NDAs should be treated with caution, or
rather the release of information under NDA should be treated carefully. If
someone was to compromise your companies entire customer-base using
information released this way and drive your company out of business, the
fact that you might be able to sue someone and might even win if you're very
lucky might be cold comfort.

Robert Moir