Receiving the 1st working draft of new international standard ISO/IEC 27038 on digital redaction this morning prompted me to think about the risk associated with redaction, more specifically the information security risks associated with the redaction of electronic documents and other digital data files (e.g. digital still photos and video images; spreadsheets and numeric/statistical data sets and databases).
Two cups of tea and a bit of head scratching later, here's my 'top 10' list of information security risks associated with redaction:
- Failing to identify correctly all the sensitive data that must be redacted.
- Failing to delete all the sensitive data e.g. overlaying or modifying rather than actually deleting the sensitive data using methods that can be completely or partially reversed; accidentally leaving one or more copies of the sensitive data completely unredacted; partially deleting the sensitive data leaving data remnants or cached copies, or sufficient information to ‘undelete’ the data; or neglecting to redact sensitive metadata (e.g. in document properties or reviewer comments, or alternate data streams).
- Excessive redaction, removing more than the specific sensitive items that were supposed to be redacted.
- Inappropriately altering the meaning of the remaining data as a result of contextual issues (e.g. deleting specific data records may invalidate statistical analysis of the remainder), or by causing collateral damage to the file structure (such as file integrity issues and inappropriate formatting changes) during the redaction process.
- Leaving sufficient data in the file to enable recipients to infer sensitive information, perhaps in conjunction with other available information sources (e.g. replacing people’s names with anonymous labels in a redacted file but separately disclosing the relationship between labels and names; disclosing anonymous statistical data on known small populations).
- Accidentally disclosing unredacted versions of the file, whether at the same time and through the same disclosure mechanism or separately.
- Deliberate disclosure or ‘leakage’ of unredacted versions of the file without permission or inappropriately (e.g. to Wikileaks!).
- Accidentally or deliberately disclosing the redacted information by some means other than by releasing the digital data (e.g. by releasing the redaction instructions, or being overheard discussing sensitive matters).
- Placing excessive reliance on redaction, believing it to keep sensitive data totally confidential under all circumstances whereas technical and process failures are possible and incidents sometimes occur in practice, or conversely placing zero reliance on redaction, believing it to be totally incapable of protecting sensitive information (governance and assurance risks).
- Confidentiality failures that are incidental to the redaction process (such as sending the original file, redaction instructions or redacted file to the wrong email address or these being intercepted by a third party en route to the right person);
While I press ahead with other things, I'd be interested to know what digital redaction risks you think I've either missed or miss-stated. I'd also love to hear from you about redaction incidents, particularly those involving digital files but even those old-skool hardcopy redaction failures can be quite illuminating.
PS By all means comment on this blog if you have something to say, or better still join the discussion on the ISO27k Forum or CISSPforum.
PPS Thanks to the discussion so far, the list of risks has been modified.