Saturday, 14 February 2009

Redaction Revealed

The past week we saw how the settlement between Facebook and ConnectU was hacked revealing the details of the transaction. Apparently, this is not the first time it has happen and many top organisations are exposed to such IT security risk. Managing those risks is fundamental to an organisation’s security policy.

The advent of Portable Documents Formats (PDFs) in addition to other word processing programs made document distribution easier which was then an improvement on Tagged Imaged File Formats (TIFF) and Optical Character Recognition (OCR). Most organisations use PDFs to redact their electronic documents before distribution. However this can be revealed if not done properly.

The discussion of instances where redacted documents had been revealed leading to the exposure of confidential information is beyond the scope of this post. Essentially, electronic redaction only changes the colour of the font and when copied to an editing program, all the blackouts are revealed.

At an organisational level, the solution lies with individuals understanding of the technology being used before it is deployed. Managers should understand the trade-offs in disseminating information and the cost of security. Checks must be in place to protect sensitive information.

The best solution if you are not sure is never to distribute information to anyone. Another is to get it printed in hard copy and use black marker over the text you don’t want to show. You can also make use of TIFF, which is only an image of the document and losing the consumer friendliness of PDFs.

Further reading:

Redacting with confidence

Copy, Past and Reveal