How to Manage a Crisis Tip #011: How to Handle Sensitive Documents
By Elaine Doyle
Would leaking of sensitive documents cause irreparable damage to your organisation’s reputation? Recently we've seen two stories of governments carelessly allowing sensitive information to find its way into the public domain. The media relish these stories and they have caused embarrassment to companies, government departments and their leaders.
The leaking of sensitive organisational information can damage an organisation’s reputation and credibility and bring financial, legal, compliance and regulatory implications. Hacking of information may be at the forefront of CEO’s minds but careless information management can be just as damaging. Security of your strategic, commercial, financial and personnel records should be an organisational priority.
Poor management of sensitive documents can also threaten the privacy of its employees, clients and commercial partners. When a project, transaction or business process is complete the security of that documentation does not have an end date. The commitment of the organisation to securely manage its information must be taken seriously to protect all concerned.
The following two examples are timely reminders of the importance of secure document management.
Sensitive anti-terrorism documents including a planned response drill to an anthrax attack on the USA LII Super Bowl were carelessly left on a plane. Found by a CNN reporter on the flight, a seemingly lucky scoop for the reporter.
A locked filing cabinet full of Australian Government sensitive correspondence and documents was found in a second-hand store. The locked filing cabinet, deemed as surplus office furniture had been sent to a second-hand dealer who sells disused government furniture. It had sat in the store for many months and was eventually purchased. The new owner breaking the lock stumbled across documents dating back several governments including sensitive discussions on controversial policies and decisions.
How did this information slip through document management procedures?
Were there any document management procedures?
These two reports are a reminder of the paramount importance for organisations to be rigorous and vigilant in their document management, policies, processes and monitoring particularly when sensitive material is concerned.
Could your organisation be at risk? The following are considerations for secure document management:
Storage of documents
Decide what is deemed to be a sensitive document - what are the characteristics of a sensitive document? Educate all staff on this.
Clearly identify and label sensitive material.
Access to secure documents should only be given to those authorised.
Create rigorous organisational document management procedures and educate all staff on document management procedures.
The sensitive printed material should either remain in secure areas or come with security procedures pertaining to its use.
Printing of documents to take off premises should be discouraged as documents can be easily left behind or misplaced.
Documents should be limited to formats that prevent editing, printing or sharing.
Password protection to authorised personnel should be enabled on sensitive documents.
Document management systems that track versions, storage and sharing should be considered.
Destruction of documents
At the finalisation of a project, transaction or business procedure, outdated obsolete information, when no longer required, should be destroyed.
Identify who might have copies of the documents electronic or paper.
Identify the possible places the documents could be stored.
Secure shredding service procedures for physical documents and secure procedures for electronic documents.
Information and records during a critical incident must be kept secure to ensure the incident is effectively managed and does not escalate due to a breakdown in communication or mismanaged documentation. Good practice is to secure such documents on a site independent of the organisation with a high level of encryption. Organisations with well planned crisis strategies use off site providers who offer secured offsite encrypted data storage.
If this is something you'd like to investigate for your organisation, Crisis Shield can provide assistance in establishing secure document management as well as training and testing for potential breaches.
For more information or support on this topic, contact Crisis Shield's Technical Advisor:
Phone: +61 3 9602 4310