The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [140]
Explanation/Notes: Hard copy documents must have a cover sheet, with a classification label prominently displayed, and a classification label on every page that is visible when the document is open.
All electronic files that cannot easily be labeled with appropriate data classifications (database or raw data files) must be protected via access controls to insure that such information is not improperly disclosed, and that it cannot be changed, destroyed, or made inaccessible.
All computer media such as floppy disks, tapes, and CD-ROMs must be labeled with the highest classification of any information contained therein.
Information Disclosure
Information disclosure involves the release of information to various parties based on their identity and need to know.
2-1 Employee verification procedure
Policy: The company should establish comprehensive procedures to be used by employees for verifying the identity, employment status, and authorization of an individual before releasing Confidential or Sensitive information or performing any task that involves use of any computer hardware or software.
Explanation/Notes: Where justified by size of company and security needs, advanced security technologies should be used to authenticate identity. The best security practice would be to deploy authentication tokens in combination with a shared secret to positively identify persons making requests. While this practice would substantially minimize risk, the cost may be prohibitive for some businesses. In those circumstances, the company should use a company-wide shared secret, such as a daily password or code.
2-2 Release of information to third parties
Policy: A set of recommended information disclosure procedures must be made available and all employees should be trained to follow them.
Explanation/Notes: Generally, distribution procedures need to be established for:
• Information made available within the company.
• Distribution of information to individuals and employees of organizations having an established relationship with the company, such as consultants, temporary workers, interns, employees of organizations that have a vendor relationship or strategic partnership arrangement with the company, and • so on.
• Information made available outside the company.
• Information at each classification level, when the information is being delivered in person, by telephone, by email, by facsimile, by voice mail, by postal service, by signature delivery service, and by electronic transfer.
2-3 Distribution of Confidential information
Policy: Confidential information, which is company information that could cause substantial harm if obtained by unauthorized persons, may be delivered only to a Trusted Person who is authorized to receive it.
Explanation/Notes: Confidential information in a physical form (that is, printed copy or on a removable storage medium) may be delivered:
• In person.
• By internal mail, sealed and marked with the Confidential classification.
• Outside the company by a reputable delivery service (that is, FedEx, UPS, and so on) with signature of recipient required, or by a postal service using a certified or registered class of mail.
Confidential information in electronic form (computer files, database files, email) may be delivered:
• Within the body of encrypted email.
• By email attachment, as an encrypted file.
• By electronic transfer to a server within the company internal network.
• By a fax program from a computer, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.
Confidential information may be discussed in person; by telephone within