The term knowledge is power is very accurate in the corporate world, as information is key to keeping ahead in the game. But really two questions stick out at me; firstly "what is there to know" and "who needs to know". The first ask the executive what type of information is out in the market place about there organization, this information paints a picture of the company. The latter when summed up really asks who is view this information and what are they want to see or what are they looking it up for. Well let us investigate the side of affect of doing business, which is exposure and what or who we are being exposed to.

Doing business requires putting ones self in the lime light, the positive connotation of this is called marketing or publicity. Your organizations desire to let only the good things be said. Powerful tools when speaking of the companies' products, services, and success stories.    We are all bombarded everyday by ads, news stories of how one product or service is better that the next and how company A has experienced a certain percentage of growth during a particular quarter. Via the World Wide Web, especially search engines which in my opinion should be labeled 'How to find anything for Dummies'.    Really by typing in key words and phrases you can find out almost anything on any one or there company.   Really is this a problem, isn't much of the information a company has is actually intended for public disclosure. Information such as that contained within "marketing materials" is a clear example. Some information must be disclosed as a matter of law, and is actually public record.

The issue is however as many of you would agree is the second question "who needs to know" Today even in the smallest business unit, it is understood that not everyone, even those holding higher positions in the hierarchy or in an organizational structure do not really "need to know" all of the information that is being protected. To better appreciate this concept, we have all since September 11, 2001 been educated about terrorist operations and have heard the terms 'cell' being used. In a terrorist cell (unit, group, division) the members of that cell are only provided with a limited amount of knowledge about the activities of the overall terrorist organization of which that cell is a small part. In the event of their arrest or capture, even if the individual wanted to cooperate with authorities, that person does not have knowledge that would be particularly damaging to the overall organization. The practice is illustrates the need to know principal, another term that can be used is called "compartmentalization" is now utilized.

When we look at Best Practices and Benchmarking we see that this type of organizational behavior is critical to 'Keeping our Secrets, Secret", taken from the U.S. Central Intelligence Agency (CIA) motto. For example the Vice President for Marketing may be very high in the organization hierarchy but does not 'need to know' the details about an employee's confidential health records, in order for him or her to fulfill their duties in the marketing division of the company. This separation is important because it makes more difficult for unauthorized persons to get a clear picture of the organizations intentions and maneuvering.

Thus we see the need for well established internal controls as it pertains to information sharing, which cannot be limited to the IT Department. Really, IT or rather information stored on the computer has its origin as some idea or concept that most likely gets discussed in meetings where hard copy notes are taken. We must then realize that security of information then begins long before you secure it on you CPU. So just how do we begin this process, which obviously becomes a task of educating client personnel on how to implement and maintain it, rather than the consultant having extensive access to the information itself.

Michael Miner is a Senior Associate in Kroll Schiff & Associates; suggest the following categorizing of information

1. PERSONNEL CONFIDENTIAL - These are the portions of employee records that are to be protected against general disclosure.

2. BUSINESS CONFIDENTIAL - Generally, this would be information that is not subject to the Trade Secrets Act but that does have commercial value to competitors.

3. SPECIAL CONTROLS –   A description for this class might include that it is of significant economic value to the holder and would include ideas that may be at a stage of development

4. SECURITY SENSITIVE - Information that could be used to compromise or circumvent security measures of the company needs particular care.

As with any security program the parameters must be tailored to that particular organization and when dealing with information the particular culture of the organization must not be overlooked. Next we will continue this discussion and provide some more guidance in developing and implementing this type of program.

Gamal Newry is the President of Preventative Measures, a Loss Prevention and Asset Protection Training and Consulting Company, specializing in Policy and Procedure Development, Business Security Reviews and Audits, & Emergency and Crisis Management. Comments can be sent to P.O. Box N-3154 Nassau, Bahamas or, email; info@ preventativemeasures.net or visit us at www.preventativemeasures.net