Re: releasing confidential docs



Rodo wrote:
have a question. I have a potential client asking for Security
documents from my company. They include, IT Org chart, Information
Security Policy, Data Classification Policy, Data Retention Policy,
Data Destruction Policy, Risk Assessment Standard, System Backup
Policy, Business Continuity Plan Summary, Disaster Recovery Plan
Summary. In your opinion, does releasing this info make for a
security violation? Would signing of Non-Disclosure be enuf to
protect my company?

Do they need to see the actual documents, or are they simply after proper
reassurance that you actually have them yourselves? Keep in mind that if
they become clients they will be entrusting part of their business to you. I
don't ask to read other peoples documentation myself (I've got plenty of my
own to read and write) but if I were entering into a deal with a vendor
whereby they had access to some of the information my business relied on, I
would want to know they were competent to handle that information.

Anyway, on to your questions.

My opinion (or anyone else here) on whether or not it is a security
violation isn't relevant. You need to ask whoever sets security policy for
your company. Or at the very least, your boss.

Having said that, I would be uncomfortable releasing internal documentation
on those processes if I were writing your security policies. But I'd also
recognise the need to reassure clients so I'd have 'public' versions of the
documents available for those that needed them.

My opinion (or anyone else here) on whether or not a NDA would protect your
company isn't relevant. You need to take advice from your local corporate
counsel, as the issues you need to worry about are the laws where you are
(e.g. is a NDA worth the paper it is written on, what clauses can it
contain, etc), and how your company handles such things.

Remember that a NDA isn't some kind of mighty morphing power ranger that
springs to life and kills anyone that releases information, it's a bit of
paper that might give you an advantage in a court case about how such
information got released. Maybe. In the meantime, how valuable was that
information?

Having said that, my opinion is that NDAs should be treated with caution, or
rather the release of information under NDA should be treated carefully. If
someone was to compromise your companies entire customer-base using
information released this way and drive your company out of business, the
fact that you might be able to sue someone and might even win if you're very
lucky might be cold comfort.

--
Robert Moir

www.robertmoir.com


.



Relevant Pages

  • RE: Password Checking Tool
    ... a trial version from their website. ... of security, how old it is and lots of other useful information. ... This is a one time deal to "sell" the policy to some of our problematic ... users (which are backbone of our business) so we cannot just say "here it is ...
    (Security-Basics)
  • Re: New IE flaw and exploit sites/migration to non-MS browser
    ... I don't have enough hours in the day to build a "white list" of trusted business sites that my firm needs to use given the needs of my business. ... This is the fundamental argument where the security guys need to understand that I don't build or use tanks, warfare or other military like stuff. ... everyone in my office has and has signed an acceptable use policy... ... Have off network security to network security personnel who understand ...
    (Focus-Microsoft)
  • Re: Information Security in Mergers and Acquisition
    ... A gap analysis document between buyer's and acquirer's security ... policies and procedures and the "written" security policies. ... security policy and get management sign-off. ... Is the policy integrated into the business ...
    (Security-Basics)
  • RE: Information Security in Mergers and Acquisition
    ... A gap analysis document between buyer's and acquirer's security ... policies and procedures and the "written" security policies. ... security policy and get management sign-off. ... Is the policy integrated into the business ...
    (Security-Basics)
  • Fwd: Oh Dear, Where to start?!
    ... It seems to me you need two things: an organizational policy, ... finish college and break into the real world of computer security. ... experience in the field of network security and policy ... updates, driver updates, and recommended updates. ...
    (Security-Basics)