As a consultant, protecting the confidentiality of your clients' data is one of your prime duties, both legally...
and ethically. Your consulting contract undoubtedly has non-disclosure terminology that mandates this protection. But even if the contract doesn't contain a legal protection requirement, there is still an ethical mandate to keep the company's data private. It is an essential part of establishing that you are a trustworthy individual who is part of a trustworthy profession.
Protecting your clients' data entails not only not discussing specifics, but also taking active steps to protect any data about the client in your possession. Electronic copies should be encrypted and/or protected with passwords to guard the data if the equipment is stolen. This is also potentially useful if a client tries to use your equipment as a source of industrial intelligence gathering. Similarly, paper copies of confidential information from one client should not be brought to other client sites. If this is unavoidable for some reason, those papers should be kept under lock and key the entire time.
For more information:
- Is vulnerability research ethical? Read more in this Face-Off between Schneier and Ranum.
- Learn more about the ethical requirements of penetration testing.
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from David Mortman
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements. Continue Reading
When disaster strikes, will your enterprise be ready? In this security management expert response, David Mortman explains what questions to ask ... Continue Reading
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading