As a consultant, protecting the confidentiality of your clients' data is one of your prime duties, both legally...
and ethically. Your consulting contract undoubtedly has non-disclosure terminology that mandates this protection. But even if the contract doesn't contain a legal protection requirement, there is still an ethical mandate to keep the company's data private. It is an essential part of establishing that you are a trustworthy individual who is part of a trustworthy profession.
Protecting your clients' data entails not only not discussing specifics, but also taking active steps to protect any data about the client in your possession. Electronic copies should be encrypted and/or protected with passwords to guard the data if the equipment is stolen. This is also potentially useful if a client tries to use your equipment as a source of industrial intelligence gathering. Similarly, paper copies of confidential information from one client should not be brought to other client sites. If this is unavoidable for some reason, those papers should be kept under lock and key the entire time.
For more information:
- Is vulnerability research ethical? Read more in this Face-Off between Schneier and Ranum.
- Learn more about the ethical requirements of penetration testing.
Dig Deeper on Security operations and management
Related Q&A from David Mortman
Do U.S. passport numbers count as personally identifiable information? Learn more about guidelines for PII in this security management expert ... Continue Reading
Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of ... Continue Reading
Looking to get into the world of penetration testing, and you're not sure which certification might help? In this expert response, David Mortman ... Continue Reading