Handling Sensitive Information

Chad Boeckmann, CISSP, GSEC

Since the advancement of computer science and the widespread distribution of technology, information has become quite the commodity. The world is connected as never before through technology and technological infrastructures. Because of this change, we must classify and scrutinize the information we have in our possession. There are many new regulations that require companies and individuals to take care in handling private and sensitive information. The ways to do this are quite simple, but adherence to best practices is essential.

Classifying Information

Information can be classified into three levels of importance; confidential, internal use and public. I encourage you to read papers from the SANS reading room to help you understand the possible threats to sensitive data and why it is important to be overcautious rather than not cautious enough.

Best Practices
When you are in possession of your own or someone else's personal information, such as Social Security numbers, credit or financial information or any other personal identifying information, you are responsible for how this information is handled and distributed. It is a good idea to distribute confidential information only on an as needed basis. It makes no sense to place Social Security numbers in an employee listing and publish this to a bulletin board. Information disclosure such as this is a recipe for identity theft and a host of other problems. Below are some ways to better handle and distribute confidential and private information:

• Employ encryption on files and directories whenever possible. Be sure to store the encryption key password in a safe location where it may be recovered in the event you have forgotten your password.
• Distribute information only on an as needed basis. If someone does not have a need for potentially confidential or personal information, then do not disclose it. Make surethere is a definitive need, such as processing a transaction or completing a sign-up process.
• Delete files or documents that contain confidential information as soon as they are no longer required. There should be no reason to retain this kind of information in multiple locations throughout a business unit.
• Do not store confidential or private information in a publicly accessible location.
• Discard hardcopy documents containing confidential or private information by shredding them. It is too easy to recover this information from a wastebasket or garbage can if not shredded.

Summary

Information is in high demand, and many people in this world go to great lengths to get all kinds of information. You may not think that the information you deal with or may have in your possession is of great value, but it is safer to treat all information as valuable and take extra precautions. It is far more costly to allow private or confidential information to fall into the wrong hands than it is to take a few extra seconds in disposing of information properly. The effects of mishandled information can devastate an individual or a business.