ME2.6:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 15:56, 21 June 2006 by Tdspain (talk | contribs)
Jump to navigation Jump to search

ME 2.6 Internal Control at Third Parties

Control Objective:
Controls provide reasonable assurance that third-party services are secure, accurate and available; support processing integrity; and are defined appropriately in performance contracts.

Managing third-party services includes the use of outsourced service providers to support financial applications and related systems. Deficiencies in this area could significantly impact financial reporting and disclosure of an entity. For instance, insufficient controls over processing accuracy by a third-party service provider may result in inaccurate financial results.

Applicability:

Sarbanes-Oxley
HIPAA
GLBA
PCI
FISMA
NIST SP 800-66
Ditscap
Control Exception
User Defined


Risk Association Control Activities:

1. Risk: Business requirements are not met or third parties have inappropriate access to business data stores and business processes.


a. SOX.2.0.6 Roles and responsibilities of third parties are clearly defined in the contractual relationship.



2. Risk: Third party entities have inappropriate access to critical business processes and data.


a. SOX.2.0.7 Third party (outsourced) processors have established an acceptable level of control procedures in their operations.


3. Risk: Insufficient controls over processing accuracy by a third-party service provider may result in inaccurate financial results.


a. SOX.2.0.11 A designated individual is responsible for regular monitoring and reporting on the achievement of the third-party service-level performance criteria.



b. SOX.2.0.12 Selection of vendors for outsourced services is performed in accordance with the organization’s vendor management policy.



c. SOX.2.0.13 IT management determines that, before selection, potential third parties are properly qualified through an assessment of their capability to deliver the required service and a review of their financial viability.



d. SOX.2.0.14 Third-party service contracts address the risks, security controls and procedures for information systems and networks in the contract between the parties. .



e. SOX.2.0.15 Procedures exist and are followed that include requirements that a formal contract be defined and agreed upon for third-party services before work is initiated, including definition of internal control requirements and acceptance of the organization’s policies and procedures.




f. SOX.2.0.16 A regular review of security, availability and processing integrity is performed by third-party service providers (e.g., SAS 70, Canadian 5970).


Process Narrative
Implementation Guide:

If a third party has a SAS70 for the current period, review this documentation first. There may be some gaps that need further attention. It is extremely important to be aware of any other relationships, partnerships or other external business situations that exist with this vendor. The potential for control decay exists from these other relationships that could pose a threat to your business.

Process Illustration
A process diagram does not exist for this control currently.

File:Someimage.jpg

Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary
There are no control exceptions. A SAS 70 or document of assurance will only be as comprehensive and sound as the certifying agents competence level. It is strongly suggested that random spot testing be performed to gain confidence.

Evidence Archive Location
Insert Evidence Description Here. Make a hyperlink to the supporting evidence.

Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.

File:Redlock.jpg

Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:
As desktop applications become more sophisticated, their file formats have become more complex. Application files contain more metadata and hidden information as a byproduct of capabilities such as routing slips, custom properties, version tracking, change tracking, comments, embedded objects and linking to external data sources, to name a few. Utilize available products to identify and remove more these data elements that represent potential privacy, policy, and security threats.

The following list represents many forms of metadata to be aware of.

  • Audio and Video Paths
Risk level

Description
Microsoft PowerPoint supports linking to audio and video files using the 'Insert > Movies and Sounds > Movie from File' and 'Insert > Movies and Sounds > Sound from File' commands. Use of this feature results in storing a potentially sensitive link to a local or network file path.
Risk
The storage of an external local or network file path caused by linking to audio and video files exposes an organization to multiple risks. The first risk is that sensitive information may be contained in the directory hierarchy exposed by the path. For example, the directory structure may use a taxonomy that includes information such as a client’s name or identifier. The second risk is that the path information can provide a view into the corporate network topology. This opens an organization to a network intrusion risk. While this risk is mitigated by proper network security, it remains a social engineering threat by providing confidential information to hackers attempting to infiltrate a corporate network. The social engineering risk is elevated when path information is combined with other sensitive data like valid user names, email addresses, and email subject lines.
Applies to:
Microsoft PowerPoint 97 and above


  • Author History
Risk level

Description
Up to the last 10 authors that saved the document are stored in an area of the document that is inaccessible using the Word application. In Word 97 and Word 2000 this information also contains the paths where the document was saved and may include sensitive user logon or network share information.
Risk
The saving of the author history within Microsoft Word documents poses several risks including exposure of personal information, local or network paths, and an audit trail of previous revisions. Personal information will typically include the user names associated with the last 10 revisions of the document. Local or network paths will identify where each revision was saved, opening the risks associated with exposing file paths. The combination of user names and file paths provides an audit trail of previous revisions that may not be desirable. The risk associated with exposing this information often depends on the type of document being considered and the potential reviewers of the document. For example, documents that may be targets of legal discovery and documents that may be published to the web pose a higher risk than other documents.
Applies to:
Microsoft Word 97 and above


  • Comments
Risk level

Description
Microsoft Office supports adding user comments to a document through the 'Insert > Comment' command. Comments often contain private or sensitive information.
Risk
Document comments may be used to expand upon or clarify visible content and pose low risk when used in this manner. However, comments are also often used for internal commentary and collaboration. In this form they can expose sensitive discussions, and if released, may represent a leak of information that was not intended. The severity of the threat is highly dependent on the content of the comments.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Content Properties
Risk level

Description
Content properties are established using the 'File > Properties > Contents' command. They are document properties that provide a view into some of the content within the document. These properties include: Title and Headings in Word documents, Sheet Names and Named Ranges in Excel documents, and Fonts Used, Design Template, and Slide Titles in PowerPoint documents.
Risk
Content properties, for the most part, represent little or no risk since they primarily mirror some visible content from the document. An exception to this rule occurs when an Office document is encrypted but the content properties remain accessible. This hole in the Office encryption feature has been closed in recent versions. However, patching the application will not address existing documents unless they are loaded and resaved by the updated application.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Custom Properties
Risk level

Description
Custom document properties can be created using the 'File > Properties > Custom' command. They may include user defined properties or application generated properties. Custom properties include: Checked by, Client, Date completed, Department, Destination, Disposition, Division, Document number, Editor, Forward to, Group, Language, Mailstop, Matter, Office, Owner, Project, Publisher, Purpose, Received from, Recorder by, Recorded date, Reference, Source, Status, Telephone number, Typist, and all other user defined properties and application generated properties.
Risk
The risk associated with custom properties varies according to their use. Custom properties are often used by software applications to associate metadata with a document. For example, content management systems may use custom properties to assist document categorization and facilitate tracking the document lifecycle. Custom properties are also used by individual users to assist in categorization or carry additional information about the document. Depending on the implementation this information may range from innocuous to highly sensitive.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Database Queries
Risk level

Description
Microsoft Office supports powerful connectivity to databases that results in database connection and query information being stored in Office documents. This information may include a path or URL to a database server, the database username, database password and SQL query strings, all of which can be highly sensitive information.
Risk
The use of database queries to bring external data into Excel is a powerful feature that comes with several serious security risks. Specifically, this feature creates the potential that unauthorized users will be able to independently query a sensitive database at will. In order to allow the query to be updated, whether user initiated or automatic, the document retains the database query parameters. This information may include a file path or URL reference to the database server, SQL query strings that identify the requested data, and the password required to access the database. A file path to the database server opens all of the security threats associated with exposing file paths. SQL query strings can be used to infer the structure of the database. Storing the database password in the Office document is an option the user may choose when creating the query. This option is often activated in order to avoid having to re-enter the password each time the data is updated. This information opens an organization to SQL injection attacks. Proper network security may prevent any external access to the database server but this provides little peace of mind in the event of a network security breach. Internal access, however, may represent an even greater threat since the recipients of the sensitive information are likely behind the firewall but possibly prohibited from accessing the database. Consider an example where the finance department distributes a spreadsheet that at face value simply includes a list of employees by department, but buried within the underlying query lies all the information required to access an employee database filled with confidential data. Extreme caution should be used when releasing spreadsheets that contain database queries.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above


  • Embedded Objects
Risk level

Description
The Office embedded object feature (Insert > Object..) allows embedding an object into the document that is created and served by another application. The resulting object data may then contain any of the hidden and sensitive data issues found in the serving application.
Risk
Office applications leverage embeddings to seamlessly work with each other as well as with other applications to create compound documents. Including a spreadsheet table in a Word document or a chart in a presentation is common and useful. In order for any application to allow an embedding to be edited in its native application, the primary document includes a complete copy of the application data associated with the object. This data is in addition to the graphic rendition of the object that is used for display and printing. It is in this data that security risks can be found. Any security threat that has been identified in documents created by an application can also manifest itself when that application serves an embedding. An additional security concern has been found to exist when using embeddings within documents that have been encrypted using the Office security options. Surprisingly, embedded objects are not encrypted along with the primary document. For example, if an Excel chart is added to a Word document that is then encrypted using Word’s security options, the chart and the entire supporting spreadsheet will be left unencrypted within the Word document. Scrubbing embeddings will remove the ability to make further edits to the embedding while maintaining the most recent graphic rendition of the object.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Fast Save Data
Risk level

Description
The fast save feature in Microsoft Word and PowerPoint is set using the 'Tools > Options > Save > Allow fast saves' command. When fast save is activated deleted text and data can remain in the file even though it is no longer visible or accessible from within the application.
The fast save feature is enabled by default in Word 97, enabled by default in Word 2000 if it was upgraded from Word 97 and disabled by default in new installations of Word 2000 and above. It can be enabled by the user in all versions of Word.
The fast save feature is enabled by default in all versions of PowerPoint and results in many versions of modified slides remaining in the file.
Risk
The fast save feature of Microsoft Word and PowerPoint is designed to decrease the time required to save a document to disk. This is accomplished by attaching changes to the end of the existing document rather than completely rewriting the modified document. Unfortunately, this will result in leaving deleted text and data in the document long after it was apparently removed by the user. This creates the risk of exposing the previous state of a document to recipients. A second risk is that this feature of Office can be used to transfer confidential information through documents in a way that will circumvent most content filtering technologies. The occurrence of this feature in Word documents is low because the Fast Save option was turned off by default with the release of Office 2000, though upgrading Office in place may maintain the state of this option. This risk remains a threat in existing, pre-Office 2000 Word documents. This feature is still on by default as of the current release of Microsoft PowerPoint. As a result, it is common for PowerPoint documents to include multiple prior versions. This is particularly concerning when considering the frequency with which pre-existing presentations are modified for a slightly different audience. Imagine the risk of distributing a sales presentation to one prospect that was given earlier to another prospect, knowing that the prior version is buried somewhere in the file.
Applies to:
Microsoft Word 97 and above
Microsoft PowerPoint 97 and above


  • Hidden Slides
Risk level

Description
The PowerPoint hidden slide feature (Slide Show > Hide Slide) allows individual slides to be hidden during the slide show and printing of the presentation. Hidden slides may contain information that is not intended for general release.
Risk
Hidden slides are often used to tailor a presentation to a particular audience or to adjust a presentation to meet a required time allotment. In many cases, exposing the hidden slides does not represent any type of privacy or security concern. In some cases, however, the hidden slide may contain data not intended for the target audience, creating a risk of leaking sensitive information. Any presentation that contains hidden slides should be reviewed prior to distribution in order to determine whether the slide should be removed.
Applies to:
Microsoft PowerPoint 97 and above


  • Hidden Text
Risk level

Description
Text that has been intentionally hidden (Format > Font... > Font > Hidden) by the user may contain sensitive information that should be reviewed or removed before distributing the document.
Risk
The use of hidden text exposes the author to unintended information disclosure. Hidden text may be used for internal commentary, temporary display and print removal, or as a method of deleting text so that it can be later retrieved if desired. It is less common to find hidden text that provides intended useful content because this is usually done with comments. Releasing documents that contain hidden text to third parties is considered a high security risk when not first reviewed by the author.
Applies to:
Microsoft Word 97 and above


  • Linked Objects
Risk level

Description
The Office linked object feature (Insert > Object...) allows linking to an external file that is managed and rendered by another application. These links can expose local and network path information.
Risk
Office applications enable the primary document to include references to external documents that are then rendered directly into the primary document. Using this feature stores a file path or URL to the external document within the primary document. This is done to allow automatic updates to the primary document that incorporate changes to the linked document and to allow direct authoring of the external document within the primary document framework. The existence of path information that supports this feature opens an organization to network intrusion and social engineering risks. Removing the link information can be done without affecting the most recent rendering of the linked object.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Macros and Code
Risk level

Description
Microsoft Office includes support for Visual Basic and can be used to create everything from simple macros to data entry forms to full blown applications. Visual Basic can also be used to create macro viruses that travel with documents.
Risk
The risk associated with macros and code being present within inbound documents is a well known virus threat. The risk associated with outbound documents includes the unintended redistribution of viruses and the potential disclosure of sensitive information contained within an otherwise valid macro. Information disclosure can come in the form of user names, code comments, and potentially confidential approaches to programmatically accessing corporate resources. Macros and code are often used to support the document creation process but are not intended or desired in the final version of the document. In other examples, macros and code provide important and useful functions to the recipient as might be the case with controls and forms. Determining the risk associated with releasing documents that contain macros and code typically requires user review.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Office GUID Property
Risk level

Description
The Office GUID property is a document property created by versions of Microsoft Office prior to the release of Office 2000. This globally unique identifier (GUID) can be used to identify the computer from which the document originated.
Risk
Documents containing the Office GUID property expose an organization or individual to the risk of losing anonymity. The Office GUID property can be used to uniquely identify the machine on which a document originated. It can also be used to determine if multiple documents originated on the same machine. This property is no longer stored in Office documents as of the release of Office 2000 and is consequently now considered a low risk element. Archived documents and documents created with older versions of Office are still at risk of this disclosure.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Outlook Properties
Risk level

Description
Outlook properties are custom document properties that may be added by Microsoft Outlook to Office documents when they are sent as attachments. These properties include the author, email address, subject of the email, and review cycle identifiers associated with the attachment.
Risk
The Microsoft Outlook practice of adding email metadata properties into Office attachments can result in unintended and sensitive information disclosure. The property metadata may include the sender’s email address, email display name, routing identifiers, and the subject line of the email message to which the document was attached. Disclosing this information to the recipient of the email message does not represent a direct threat because the recipient receives most of this information from the email headers by default. However, inserting this information into the attached documents without any user intervention or awareness allows this information to continue to travel with the document well beyond the initial email recipient. If the document is subsequently published to the web it will publicly expose a valid email address, the associated user display name, and a valid related email subject line. The dangers of this release of information can range from simple embarrassment to confidential leaks and, at ::minimum, present spammers with additional opportunity.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Presentation Notes
Risk level

Description
The PowerPoint notes feature allows notes to be associated with each slide. Notes may contain general content or internal commentary that should be reviewed or removed prior to distributing a presentation.
Risk
Presentation notes, also referred to as speaker notes, are commonly used to document specific points the speaker would like to make during the presentation. In most cases these notes represent useful additional content that can be safely shared with any recipient of the presentation document. Often times, however, these notes are written in a style that is targeted at the speaker alone and are not intended to be directly shared with the audience. In other cases, the notes are used to facilitate collaboration between multiple authors or reviewers working on the presentation. Distributing or publishing a presentation that includes speaker notes carries the risk of disclosing unintended or even confidential information.
Applies to:
Microsoft PowerPoint 97 and above


  • Printer Information
Risk level

Description
Printer setup information is often stored within a Microsoft Word or Excel document. In the case of network printers, this information may include potentially sensitive network share information and less sensitive printer model names.
Risk
The release of documents that include printer setup information carries the risk of disclosing sensitive file path information. This information can also include the model of the printer in the form of a text name. The model name represents little or no concern to most users, though it can be used in digital forensics to narrow down the origin of a document. Printer location information is stored in the form of a file path. This carries the typical risks associated with file path exposure including network intrusion and social engineering concerns.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above


  • Routing Slip
Risk level

Description
The email routing feature of Microsoft Office (File > Send To > Routing Recipient) stores the email addresses and user names of recipients in the document.
Risk
Email routing slips are introduced into documents that enable the document routing feature. Each routing slip may contain the email display name and email address of the originator and all recipients of the routed document. The routing slip can also contain the subject line, message body, and the date and time stamp of the routing email. This information will remain in the document after it has been routed and can expose an organization to the release of sensitive information. This exposure may be of particular concern with documents that are a target of legal discovery and documents that are made available to the public via electronic distribution or publication.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Scenario Comments
Risk level

Description
Microsoft Excel supports associating user comments with the scenario feature (Tools > Scenario... > Comment). Scenario comments may include sensitive information and often include hidden author information in addition to the comment.
Risk
The use of scenario comments, similar to document comments, carries the risk of unintended information disclosure. The comments will often include a user name and date and time stamp in addition to the comment text. The Scenario feature provides a powerful mechanism to quickly analyze multiple models within a spreadsheet. Scenario comments are considered a low risk in terms of unintended information disclosure but do carry some risk because they will not be obvious to the author when reviewing the visible content.
Applies to:
Microsoft Excel 97 and above


  • Sensitive Hyperlinks
Risk level

Description
The Office hyperlink feature (Insert->Hyperlink) allows the creation of links to various locations. Two of the possibilities, fully qualified local paths and network paths, can provide unwanted insight into an organization's internal structure. Web links are not treated as sensitive.
Risk
Sensitive hyperlinks are hyperlinks to a resource located on a local or network drive. As such, they carry the risks associated with exposing path information. This includes the release of confidential network topology information and sensitive directory naming conventions. Releasing network resource names can subject an organization to network security risks through direct intrusion attempts and through social engineering attacks.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above


  • Sensitive INCLUDE Fields
Risk level

Description
The Microsoft Word include field feature provides non-OLE based linking to external files (Insert > Field->IncludeText and Insert > Field > IncludePicture) . These fields may contain fully qualified local paths or network paths.
Risk
Sensitive INCLUDE fields carry the risk of exposing sensitive local and network file paths which can provide insight into an organization's internal network structure. The release of path information carries the risks of network intrusion, sensitive information exposure, and social engineering threats.
Applies to:
Microsoft Word 97 and above


  • Statistic Properties
Risk level

Description
Statistic properties (File > Properties > Statistics) are document properties that include: Created, Modified, Accessed, Printed, Last saved by, Revision number, Total editing time, Pages, Paragraphs, Lines, Words, Characters, Bytes, Notes, Hidden Slides, Multimedia clips, and Presentation format. Additional application maintained properties in this category include: Application name, Hyperlinks changed flag, Links up to date flag, and Scale flag. Some or all of these properties should be reviewed or removed prior to document distribution.
Risk
Statistic properties are document properties that track editing details about the document. For example, the amount of time spent editing the document, the number of paragraphs and pages in the document, and when the document was created, last modified, or accessed. Releasing most of this information with the document raises little or no security concerns but is made available for review due to its nature as metadata. The various date and time stamp statistics might expose a level of undesirable tracking information in extremely security conscious environments, or in environments where such information can be correlated to time and billing or raise concern about a document’s creation and revision dates. Consider the scenario whereby an author is contracted to produce a document for a client, and the client discovers that the ensuing document was actually created prior to the parties’ relationship.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Summary Properties
Risk level

Description
Summary properties (File > Properties > Summary) are document properties that include: Title, Subject, Author, Manager, Company, Category, Keywords, Comment, Hyperlink Base, Template, and Preview Picture. Some or all of these properties should be reviewed or removed prior to document distribution.
Risk
Summary properties include a collection of metadata that summarizes the document along with attributes of the author or environment of the document. This data is considered a low risk security element for most users. However, one should consider whether properties like author, category, keywords, and comment need be exposed when releasing a document to wider distribution. A second risk is that encrypted Office documents created prior to version 2003 have unencrypted document properties, partially exposing some information about a document believed to be password protected.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Template Name
Risk level

Description
If a template other than Normal.dot is used, the document will contain a full path to the template file. This can expose local path or network share information.
Risk
Use of templates other than normal.dot will result in exposure of a fully qualified local or network path to the template. This element can carry all of the risks associated with exposing file paths, including network intrusion and social engineering attacks, as well as revealing confidential naming conventions.
Applies to:
Microsoft Word 97 and above


  • Tracked Changes
Risk level

Description
The change tracking feature of Microsoft Office tracks insertions, deletions and formatting changes made to the document. Such changes contain deleted text and author and date information that may be unintentionally left in the document upon distribution.
Risk
Tracking changes in documents is a powerful feature that enhances the collaboration process by providing valuable change history. It can be useful for individual authoring and indispensable when multiple authors and reviewers are involved. But a very high information disclosure risk comes with this power. Documents often reach points in their lifecycle where tracked changes should either be accepted or rejected and a clean version of the document should be saved. This is required when it is no longer desirable to share the history of deletions and additions with the next group of recipients of the document. Many organizations have experienced the fallout associated with releasing a document with change tracking still enabled. The results can range from embarrassing to adversely affecting business, and depending on the sensitivity of the content, can even be used to support evidence discovery for litigation.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above


  • User Names
Risk level

Description
A number of Office features cause user names to be saved in the document including the document properties Author and Last Saved By, document routing recipients, Word comment and tracked change authors, Excel scenario authors, file sharing participants, and the last user to edit a Microsoft Excel document or view a Microsoft PowerPoint document.
Risk
The existence of user names in documents represents a potential privacy breach and can also create an unintended audit trail of authors. User names can be carried with comments, change tracking, email routing information, document properties, and author history, to name a few. Keeping track of the users involved in the document creation process provides useful information and is often not considered an information disclosure risk. However, user names are a form of personal information and there are many scenarios where releasing that information is not desirable. When a document is going to be shared with a larger audience, such as published to the web, the question of whether user names represent an undesired release of personal information is worth consideration. Even documents that are only shared with a small group through email may unexpectedly disclose the names of users that have touched the document at some point in its history. This risk can be classified as very serious for scenarios where there are regulatory mandates (e.g. HIPAA) that identify the release of personal information as illegal.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above
Microsoft PowerPoint 97 and above


  • Versions
Risk level

Description
The versioning feature (File > Versions) in Microsoft Word allows multiple historical versions of a document to be saved within a single file. Versioning is useful during document creation but potentially sensitive once a document is released.
Risk
The version feature of Microsoft Word carries with it a high risk of unintended information disclosure. This feature allows the author to archive the current state of a document into the file so that it can be extracted at a later time if required. Users that rely upon this feature as a form of version control run the risk of accidentally releasing older versions of the document that are not intended to be viewed by the recipient. The severity of this threat is heavily dependent on the sensitivity of the document content.
Applies to:
Microsoft Word 97 and above


  • Weak Protections
Risk level

Description
Weak protections are features of an application that appear to provide a strong level of protection against specific user actions on the document but in fact can be easily removed from the file without access to a password.
The Microsoft Word protection features (Tools > Options... > Security > Password to modify) and (Tools > Protect Document... > Password (optional)) are weak protections because they do not result in encrypting the file and are easily circumvented with minor changes to the underlying file.
The Microsoft Excel protection features (Tools > Options... > Security > Password to modify) and (Tools > Protection > Protect Sheet... > Password to unprotect sheet) are weak protections because they do not result in encrypting the file and are easily circumvented with minor changes to the underlying file.
Risk
Weak protections carry the risk of leading the user to believe that controls placed on the document are safely protected when they are not. The weakness lies in the fact that because the document is not encrypted, the protection can be easily disabled by hacking the file to overwrite or clear the protection commands. Since these features do not attempt to modify the viewing of a document, they don’t pose any direct information disclosure threats. However, if the protection is removed the user will have access to more features that may indirectly expose additional information. An example of this risk occurs when assuming that a spreadsheet which includes sheet protection will effectively prevent recipients from examining hidden cells. Once sheet protection is removed the user will then be able to unhide the cells and expose potentially sensitive information.
Applies to:
Microsoft Word 97 and above
Microsoft Excel 97 and above


--Mdpeters 10:46, 15 June 2006 (EDT)

Implementation guidance
An example of an open community application to address this risk is Bitform Discover .