There are two basic options to ensure you don’t share document metadata outside your organization. One option is to stop emailing electronic files. A second and more realistic alternative would be to utilize a software application to clean the documents before you share them.
For many people, the concept of metadata is foreign, so, if you utilize a software application to remove metadata, it needs to be as transparent as possible. When looking at a software solution it’s also important to think about the types of document metadata that you may or may not want to strip out of your documents. The metadata you want to share could very well change when you email a document to an external client versus an internal coworker.
Metadata stripping applications should also allow policies to be set that will consistently strip preset metadata from every document sent via email. Some metadata, such as track changes, comments, and footnotes, will occasionally need to be sent along with a document. At other times, you’ll want it removed before sharing. Make sure that any solution you are using gives you the flexibility to choose whether or not to have this information cleaned from the document or not.
You may also want to limit how users can share documents. A complete document protection application will provide the ability to restrict whether or not a document can be emailed externally. It should also allow you to convert your Microsoft Word documents into PDF format to lock down the content that you are sending. This will allow someone to view the content, but they will not be able to make any changes to your PDF.
The following top ten best practice tips should be followed to ensure your organization is protected from the risk of document metadata:
- Establish an enterprise-wide metadata policy and determine what metadata is of risk to you and why
- Remove all Microsoft Word documents from your web-site
- Implement an enterprise-wide Metadata removal application
- Ensure your Metadata removal application has the ability to centrally enforce your metadata policy
- Ensure your Metadata removal application is integrated to your email system for complete protection
- Ensure your Metadata removal application contains functionality to review a report of existing metadata in documents before cleaning or sending to others
- Encourage the use of sending PDF files, which have already been cleaned by a metadata removal application, to external parties where appropriate.
- Remove all metadata from your template library to reduce the risk of any metadata being inherited from previously used documents
- Turn ‘Highlight Track Changes’ on before sending documents to others to review if a history of changes exists
- Click View-Comments from your Microsoft Office application before sending documents to others to review if a history of comments exists
The following steps can ensure that documents that you send or share with others remain secure and confidential:
- Establish an enterprise wide metadata policy and deploy an enterprise-wide Metadata removal application
- Distribute published documents in a metadata-free PDF format
- Encourage PDF security and file encryption by selecting a PDF conversion technology that incorporates these features
- Consider sending documents in zip format with a zip password
Architectures and Applications Division of the Systems and Network Attack Center (SNAC), NSA
There are a number of pitfalls for the person attempting to sanitize a Word document for release. This paper describes the issue, and gives a step-by-step description of how to do it with confidence that inappropriate material will not be released.
See how document control and security can improve online business processes.