What not to Ask
In the early 1990’s I was the security leader for the company’s major product development program. There was unprecedented international involvement, which include international digital data exchange of engineering digital design models. Some of our international suppliers worked side-by-side with our engineers in company facilities. There was a lot of angst about what the suppliers should and did have access to, and varied beliefs about what information was particularly sensitive.
To resolve the information sensitivity question, I arranged a meeting with the program leader. I asked the question: “What information should the supplier personnel be permitted to access?” The answer provided was: “Any information they need to do their job, and nothing more.” That means administration of access on a person-by-person basis, which we were in no way equipped to accomplish.
I realized that in my one chance I asked the wrong question. A better approach would have been to describe at a high level the current access control policy and how it was administered, and propose changes anticipating what I could intelligently guess was his expectation. It would also have been useful to outline what people thought was important to protect (i.e. the most important Trade Secrets) to confirm or correct the understanding. In either case, there would have been the opportunity for follow-up to gain formal approval of a written direction based on the discussion.