1

We have a set of ISMS documents like master security policy, supplier relations etc. classified as INTERNAL according to data classification policy.

Now a potential customers infosec department is requiring a copy of all our policies sent to them before they can make a buying decision.

How is everybody dealing with this conflict? Do companies have PUBLIC versions of the policies to share? Is the INTERNAL classification wrong? Can the internal policies be shared with customers if they sign an NDA? I am very unsure because technically sharing internal documents is not allowed. What can be a good compromise on this?

Improve this question
1
  • A NDA must be signed before sharing any confidential data belong to your company with any external parties. Also, some companies maintain a set of documents which summarize the policies and security controls (without any confidential info) for the purpose of sharing with their customers. Commented Dec 8, 2022 at 11:51

3 Answers 3

Reset to default
2

This is an unusual request. Normally, internal policies are assessed against a standard (e.g. ISO 27001). The assessment goes to 3rd parties, not the content of the policies themselves.

Policies that directly affect external stakeholders are normal to disclose to those stakeholders.

Some companies I have worked with had versions of internal policies that were generic and sharable with an NDA.

The INTERNAL classification is not wrong if the external knowledge of those policies represents a risk to the organisation. For instance, if through knowledge of the details of a policy I could more efficiently attack you or evade detection or negotiate ransoms, etc. then you want to keep those policies confidential.

Improve this answer
3

I had a lot of experience with a variety of customers asking for varying levels of access to our internal documentation and controls. It all was handled in context to their type of business. Is the customer in the finance industry? Is it a public institution? Each has their own set of rules they have to follow for vendor management. It isn't common, but also isn't uncommon (if that makes sense).

To answer your questions directly...

  • How is everybody dealing with this conflict?

    I would always defer to our ISO cert or SOC 2 report when requested policies. The entire point of those audits is to have a trusted source verify your controls. Customers can cite that report for demonstrated compliance if it is needed. Sometimes, the customer would still insist given their type of industry having very strict controls. In these cases, most policies are broad enough to be disseminated with an NDA in place. This is keeping in mind the semantics of a policy versus our documented plans. A customer will never get a BCDR plan or the like. They may have the policy so they know how we control it but never how we do it.

  • Do companies have PUBLIC versions of the policies to share?

    Yes and no. Yes in the sense that some policies may be benign enough to freely distribute. Especially if it is unique to your organization and designed as such. No where you would be maintaining two copies of the same policy. This would defeat the purpose of the policy in general and add confusion to those who need to cite it in their duties.

  • Is the INTERNAL classification wrong? Can the internal policies be shared with customers if they sign an NDA?

    As stated by others here, the classification is not wrong. They are, indeed, internal. A good rule of thumb is to think to yourself, "Could the customer get this information from our website?" If the answer is no then there should be no doubt.

  • I am very unsure because technically sharing internal documents is not allowed. What can be a good compromise on this?

    In practice, I would have a SOC report with reference to our ISO cert which is edited so that it may be sent to customers under NDA. That is always the first step. Otherwise, why would we keep paying for these audits if they aren't useful to our customers? Only then, when they have specific questions, I would share policies under an NDA. That compromise has typically deflected a lot of unnecessary back-and-forth for me but that is only my own experience. Mileage may vary for you given your type of business and customers.

Improve this answer
1

It depends on the scope of the documents.

If you offer a product and the customer wants to know the security policies you have in place related to creating and distributing the product (supply chain attack concerns), then that's a valid request.

If you offer a service and the customer wants to know the security policies you have in place in order to protect it (and, by extension, their own operations), then - again - that's a valid request.

But if the customer wants to know in general what policies or processes you have in place, irrelevant of whether they refer to your product or service, then that isn't justified - so you need to ask why.

In practice, because security assurance requests are somewhat common these days, having properly scoped documents facilitates such discussions; you can have documents that refer to your product/service and send them over to your potential customer, given that they also sign an NDA.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.