Analyze documents for content and security before you publish them. Since they may contain metadata (i.e., “hidden” data not immediately viewable), you may inadvertently pass along confidential or sensitive information to individuals inside and outside your organization — information like:
- Computer name
- Tracked Changes (redline edits)
- Various document versions
- Dates created, modified, and accessed
- Checked by
Many applications (e.g., Microsoft Word and Corel WordPerfect) automatically insert information such as the author, company, manager, etc., every time the document is saved. Sometimes hidden information is manually saved, such as comments. Applications with versioning capability maintain different versions of the same document within the same file. Editing tools, such as Track Changes in Word, keep deleted text within the document until the changes are accepted. In addition, some programs keep an “undo-redo” history unless the user chooses not to save the history with the document.
Whether you are writing a report, web page, tutorial, or any other type of document, you must balance the specific information you publish with the security risks that information poses to your company, department, institution, or organization. Analyze your documents for their content and potential security and/or information leaks so that publishing or distributing them won't inadvertently or unknowingly lead to a breach of security or confidentiality.
General Guidelines for Publishing Electronic Documents
Whether you post your documents on a Web site, or simply forward them to a colleague, follow best practices.
- Proofread your material before publishing it. Make certain it does not contain any personal, confidential, or sensitive material.
- Do not post any confidential or sensitive information in screen grabs or other graphics.
- Do not mention an actual internal (i.e., unavailable to the public) server or IP address. Use pseudonyms instead.Do not post infrastructure design documentation.
- Do not post project plans that include design documentation, specifications, actual server names, etc.
- Remove all hidden data (see next section).
- Publish to PDF format and add security that controls whether or not the user can read or print the document, or copy/edit text.
Remove Hidden Data
If your document should not contain any hidden data, do the following before publishing or distributing it, especially if you are the final author or responsible party in a collaboration:
- Remove all the File ► Properties information you don't want to remain with your document.
- Remove all redline edits (e.g., Track Changes). Make sure the document is the way you want in and “accept all changes” to remove redlining.
- Remove all document comments.
- In Word, click on File ► Properties ► Custom tab and individually delete all document owners' and/or reviewers' names.
- Disable “fast saves” to ensure deleted information is really deleted.
- Delete previously saved versions contained within your document.
- Consider using third party tools to purge or “scrub” your document of all hidden data like number of revisions, total editing time, and dates created, modified, accessed, and printed. Otherwise, save your document in PDF format after you have removed as much hidden data as is manually possible.
- If available in your applications, use whatever security options exist to delete all personal information and warn you if your document contains tracked changes or comments before you print, save, or send the document.
Additional Guidelines for Posting Web Pages
Follow all the guidelines above, but when you must publish documents that contain personal information or server names, IP addresses, project plan, etc., post it securely so that only those who have a need to know can access it with the authentication of a user IDs and passwords, such as on or in:
- A secure Intranet
- A secured server folder (e.g., Outlook Public Folder)
- A secure customized web portal (e.g., Sharepoint)
For more detailed information on the risks of metadata and ways to maintain content and document security, visit metadatarisk.org.