The eight-point security audit

Step by step — run a quarterly audit

1. Pick a random sample of 10–20 outbound PDFs from the past quarter (legal, finance, HR, marketing, client-facing each represented).
2. Run the audit on each. Acrobat Pro Preflight + Properties → Description + Tools → Remove Hidden Information; record failures.
3. Categorise findings. Failed redactions (highest severity), metadata leaks (moderate), embedded files (variable), JS / hidden content (case-by-case).
4. Brief the responsible teams. Failed redactions in legal → train legal; metadata leaks in marketing → fix template; etc.
5. Set a policy fix for the most common failure pattern. Often: standardise the export template to strip metadata; mandate destructive redaction tools.

Tools that automate the audit

Three tool categories make the audit repeatable rather than artisanal. First, command-line tools: pdfinfo, qpdf --check, exiftool, pdfsig — each runs in seconds against a file or a directory of files; scriptable for batch audit against an entire quarterly sample. Second, Adobe Acrobat Pro\'s Preflight (Tools → Print Production → Preflight): runs profile-based checks including security checks; save a custom profile for your organisation\'s policy. Third, server-side data loss prevention (DLP) platforms (Microsoft Purview, Forcepoint, Symantec): scan PDFs leaving the corporate network for PII, sensitive metadata, and policy violations.

For small businesses, the command-line stack plus periodic Acrobat Pro audits is sufficient. For enterprises, the DLP platform is the right level of automation because it scales across thousands of daily outbound files. The audit cadence (quarterly for small, continuous for enterprise) should match the volume; doing it less often than your file output rate justifies invites the slow drift that audits exist to catch.

Common audit findings and how to address each

Three findings come up in nearly every audit. First: marketing and sales teams ship PDFs with author metadata containing personal names, internal project codenames, or draft-status tags. Fix: build metadata-strip into the marketing export template so every outbound PDF goes through the strip step. Second: legal teams use rectangle annotations as redactions and assume the underlying text is hidden. Fix: mandate destructive-redaction tools (block annotation-as-redaction via IT policy and training). Third: finance teams password-protect PDFs with short or shared passwords. Fix: require minimum 12-character per-document passwords, transmitted out-of-band.

None of these findings is unusual; all are preventable with template / tool / training fixes. The audit is what surfaces the patterns; the fix is policy plus tools, applied to the responsible teams.

Related reading

• PDF redaction guide: how to redact correctly and verify.
• PDF security guide: encryption tiers and password types.
• Share PDFs securely: secure-delivery patterns.
• PDF metadata editor: strip metadata before distribution.
• GDPR and PDFs: privacy-regulation overlap.

FAQ

How do I audit a PDF for hidden content I do not know is there?

Three tools layered. First, Acrobat Pro: File → Properties → expand Description, Security, and Initial View tabs; expand Tools → Protect → Remove Hidden Information to scan for unexpected content (annotations, form fields, hidden layers, JavaScript, embedded files, metadata, deleted content fragments). Second, command-line pdfinfo (from poppler-utils): dumps all metadata and structure to a text stream you can grep. Third, `qpdf --check input.pdf` (open source): validates the file structure and reports any anomalies. For high-stakes audits (before distributing confidential documents), run all three. A PDF that has been Word-edited, redacted, and signed often has remnants of each step that are not visible but are extractable.

What is the most common security failure in business PDFs?

Failed redactions — rectangle annotations drawn over sensitive text without removing the underlying content. The text appears hidden visually but is still in the PDF content stream and can be extracted by anyone with Acrobat Pro or a PDF parser. The 2018 court filings in US v. Manafort, the 2017 release of Reality Winner NSA documents, and dozens of less-famous cases involved redactions that were defeated this way. Always use destructive redaction (ScoutMyTool Redact PDF, Acrobat Pro Redact); verify by attempting to select the redacted region after applying — you should get nothing or the redaction colour, never the original characters.

How do I prevent metadata from leaking confidential information?

Strip metadata before external distribution. Acrobat Pro: File → Properties → Description → blank out Author and Subject, then save. Command line: `exiftool -all= file.pdf` removes every metadata field including XMP. For sensitive document workflows, build metadata-stripping into the export step so it always runs before send — most authoring tools have a "minimise file properties" or "remove personal info on save" option. Producer and Creator fields can reveal which tool authored the PDF (and by extension, which department or person); strip these for anonymous distribution.

My team password-protects PDFs — is that enough?

Depends on the password and the encryption tier. AES-256 with a strong 12+ character password is sound — brute-force is computationally infeasible. AES-128 with the same password is also fine for most use cases. RC4 (default for PDFs before 1.6) is broken — modern cracking tools defeat RC4 PDFs in hours regardless of password strength. Standardise on AES-256 and audit historical files; PDFs created before 2010 may be on RC4. Also avoid relying on the "owner password" (permissions password) for security — most PDF editors ignore those restrictions. Only the "user password" (open password) actually prevents access.

What policy controls should we have for PDF security?

Five basics. First, standardise on a current PDF version (1.7 or 2.0) and AES-256 encryption — document in IT policy. Second, mandate destructive redaction (not annotation) for any PII redaction. Third, run metadata-strip on PDFs leaving the network — easily automated via Adobe Document Cloud or a server-side process. Fourth, train staff to verify redactions visually (select-copy test) before distributing. Fifth, audit a random sample of outgoing PDFs quarterly to catch process drift. The whole policy fits on one page; the auditing is what makes it real.

Citations

1. ISO 32000-1:2008 — "Document management — Portable document format" — §7.6 (Encryption) and §12 (Annotations / Forms).
2. NIST Special Publication 800-38A — AES encryption modes.
3. OWASP — Cryptographic Storage Cheat Sheet.
4. Adobe Acrobat — Preflight and Remove Hidden Information documentation.
5. qpdf — open-source PDF structural validator.