Identifying Sensitive Information

What not to Ask

In the early 1990’s I was the security leader for the company’s major product development program. There was unprecedented international involvement, which include international digital data exchange of engineering digital design models. Some of our international suppliers worked side-by-side with our engineers in company facilities. There was a lot of angst about what the suppliers should and did have access to, and varied beliefs about what information was particularly sensitive.

To resolve the information sensitivity question, I arranged a meeting with the program leader. I asked the question: “What information should the supplier personnel be permitted to access?” The answer provided was: “Any information they need to do their job, and nothing more.” That means administration of access on a person-by-person basis, which we were in no way equipped to accomplish.

I realized that in my one chance I asked the wrong question. A better approach would have been to describe at a high level the current access control policy and how it was administered, and propose changes anticipating what I could intelligently guess was his expectation. It would also have been useful to outline what people thought was important to protect (i.e. the most important Trade Secrets) to confirm or correct the understanding. In either case, there would have been the opportunity for follow-up to gain formal approval of a written direction based on the discussion.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s