Two cups of tea and a bit of head scratching later, here's my 'top 10' list of information security risks associated with redaction:
- Failing to identify correctly all the sensitive data that must be redacted.
- Failing to delete all the sensitive data e.g. overlaying or modifying rather than actually deleting the sensitive data using methods that can be completely or partially reversed; accidentally leaving one or more copies of the sensitive data completely unredacted; partially deleting the sensitive data leaving data remnants or cached copies, or sufficient information to ‘undelete’ the data; or neglecting to redact sensitive metadata (e.g. in document properties or reviewer comments, or alternate data streams).
- Excessive redaction, removing more than the specific sensitive items that were supposed to be redacted.
- Inappropriately altering the meaning of the remaining data as a result of contextual issues (e.g. deleting specific data records may invalidate statistical analysis of the remainder), or by causing collateral damage to the file structure (such as file integrity issues and inappropriate formatting changes) during the redaction process.
- Leaving sufficient data in the file to enable recipients to infer sensitive information, perhaps in conjunction with other available information sources (e.g. replacing people’s names with anonymous labels in a redacted file but separately disclosing the relationship between labels and names; disclosing anonymous statistical data on known small populations).
- Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately.
- Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks!).
- Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters).
- Placing excessive reliance on redaction, believing it to keep sensitive data totally confidential under all circumstances whereas technical and process failures are possible and incidents sometimes occur in practice, or conversely placing zero reliance on redaction, believing it to be totally incapable of protecting sensitive information (governance and assurance risks).
- Confidentiality failures that are incidental to the redaction process (such as sending the original file, redaction instructions or redacted file to the wrong email address or these being intercepted by a third party en route to the right person);
PS By all means Reply on this blog if you have something to say, or better still join the discussion on the ISO27k Forum or CISSPforum.