From Tim Howard, CSSM, on the Security blog, here are “a few simple measures” for keeping security secure:
• Practice need-to-know. Only share security-related information with those who need to know.
• Practice compartmentalization. For larger security entities, do not permit everyone to know everything about the operation.
• Employ the use of Non-disclosure Statements. People will realize you are serious about your security information if they have to sign a legally binding agreement.
• Be sure those in your audience are in the security profession. If you are going to speak at a security event about detailed information regarding security vulnerabilities and mitigation, be sure those in the audience are security professionals.
• Know the difference between general security information the public should know and information that is specific to your technology and your processes.
• Ensure there are effective security policies in place to protect important security information.