DOCUMENT TYPES

Establishing differences between paper and physical documents at first seems an academic exercise. The differences, however, affect how the security professional implements security measures. Paper docu-ments, usually, are reasonably easy to file away and to destroy. File cab-inets with suitable locks and a commercial-grade shredder offer a fair amount of security. But, handling physical documents, such as infor-mation written on a whiteboard or markings on boxes in inventory, offers different security challenges.

Paper documents contain information written or printed on paper or on a similar material like transparency film or photographic paper.

Common forms of these documents include: paper sheets, transparen-cies, slides, microfilm, microfiche, photographs, labels, and small pack-aging material. They all share the traits of being readable by the human

75

Table 6.1: Document Families

Table 6.2: Paper and Physical Documents Document Types

Category Characteristics

Paper On paper or a similar material, readable by the human eye

Physical On other materials, but still readable by the human eye

Machine-readable Requires electronic equipment to be read or understood

Examples

Paper Paper documents, transparencies, slides,

microfilm, microfiche, photographs, labels, small packaging

Physical Inscriptions, signage, medical imagery such as x-rays, chalkboards, whiteboards, storyboards, some forms of visual art and illustrations, storyboards, boxes and storage containers with exterior markings and information

Machine-readable Videotape, audio tape, CDs, CD-ROMs, DVDs, computer media, files stored electronically

Paper and Physical Document Security Area of Vulnerability Countermeasures 1. Papers thrown into trash 1. Shredding 2. Notes attached to computers and others

areas in workspace

2. Institute a clean desk policy, backed up by inspections

3. Sensitive documents stored in unsecured areas

3. Establish a classification system and a set of secure storage procedures

4. Documents awaiting destruction not secured

4. Provide secure storage for documents scheduled for destruction

5. Printers open to everyone in the facility 5. Secured rooms for printers assigned to sensitive documents

6. Fax machines unsecured 6. Place fax machines handling sensitive traffic in secured printer rooms.

7. Information left on chalkboards, easels, wall displays, and whiteboards

7. Locked rooms for work-in-progress and projects requiring long-term wall graphics. Regular meeting rooms with boards should be erased daily.

8. No media library 8. Establish a media library

eye, sometimes with the aid of magnification, being easily filed away, and being reasonably easy to destroy by shredding, by pulverizing, or by burning. (Reading microfilm and microfiche may require a machine, but since such a machine acts as a magnifier and projector, without elec-tronic processing of the information, classifying these forms in the

“paper family” is reasonable.)

Physical documents are on materials other than those in the paper category. Again, they are visible to the human eye, albeit at times with some magnification. But, creating security through filing away such items or through easy destruction methods becomes more problematical.

Common forms or media for physical documents include: inscriptions, signage, medical imagery such as x-rays, chalkboards, whiteboards, sto-ryboards, some forms of visual art and illustrations, stosto-ryboards, boxes and storage containers with exterior markings and information. (Some may argue that transparencies and medical images, like x-rays, are sim-ilar in that they are both films. Yet, medical images tend to be larger in size than transparencies and have different storage requirements.)

Machine-readable documents require electronic equipment to be seen or heard. Often, these documents are computer based. They yield no information to the unaided human senses. Common forms for these documents include: videotape, audiotape, CDs, CD-ROMs, DVDs, computer media such as floppies, USB drives, memory, and hard drives, and files stored electronically by other means. (See Table 6.3.)

The question then becomes: What is the security impact of all these distinctions? Each document family has its own protection criteria. The savvy security professional understands the differences in the life cycles of each family. Factors to consider for all document types are:

1. Size of the document

2. Ability to store or to hide the document 3. Ability to destroy it

4. Reuse of the medium 5. Visibility to the human eye 6. Audibility to the human ear 7. Copying issues

8. Clandestine theft of the document 9. Mislabeling issues

Obviously, paper documents are reasonably easy to store and to hide from peering eyes, but boxes containing proprietary ingredients for an

industrial process may have markings that are not so easy to hide. Paper documents and photographs generally speak for themselves regarding their content, but a magnetic tape, if mislabeled, may render key data inaccessible. Understanding the security advantages and disadvantages of respective document types becomes essential to any document secu-rity program. (See Table 6.4.)

Recognizing the unique characteristics of the respective document types determines how the security specialist will store, retrieve, protect, allow reuse, and destroy documents. The security of any organization is best judged by how it handles its documents. Information is the lifeblood of any twenty-first century business or organization; slipshod document procedures open the concern to corporate espionage, violations of com-pliance to laws such as Sarbanes-Oxley (SOX), and to litigation by cus-tomers and clients for divulging private or proprietary data.