Post on 30-Mar-2015
David CronkrightChuck Dudinetz
Paul Jones
Corporate Auditing
The Dow Chemical CompanyFebruary 16, 2012
Auditing Protection of Intellectual Property
Agenda
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
IP is an asset to be protected…
Technology
Business intelligence
Personal Data
What is IP and why do we care?
IP can take a number of forms…
Explicit – Electronically stored– Hardcopy– The “object” itself
Tacit – Conversations – Presentations
What is IP and why do we care?
Loss of IP can have significant consequences…– Loss of competitive advantage loss of business– Loss of licensing revenue– Loss of prospective M&A partner – Non-compliance with legal/regulatory requirements– Damage to reputation– Sabotage
What is IP and why do we care?
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda
What’s the risk ?
• Risk = Threat x Vulnerability x Consequence
99
What’s the risk ?
Threats…Industrial Espionage• Targeting & recruitment of insiders• Cyber intrusions• Dumpster diving• Establishment of business relationships
… Increasingly highly organized, funded, and resourced
Hacktivism• Politically or socially motivated• Cause reputation damage
Cyber Crime• Profit motive
What’s the risk ?
Potential Vulnerabilities…
Inherent vulnerabilities• Targeted industry ?• Geographic presence
Company culture• Culture of trust ?• Collaborative culture ?• Education & awareness• Weak policies & procedures
… translate to behaviors
What’s the risk ?
Potential Vulnerabilities (Cont’d)…
Workforce dynamics• Outsourcing• Turnover• Hiring practices• Employee morale
Facility• Weak physical security• Multi-tenancy• 3rd Party service providers• Open work space• Waste segregation and disposal• Poor handling of printed documents, portable media
What’s the risk ?
Potential Vulnerabilities (Cont’d)…
I/T• Weak computer room security• Broadly accessible network ports• Unsecure data transfer• Inappropriate access to electronic repositories• Network perimeter• Susceptibility to malware
What’s the risk ?
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda
Controls :
Mitigate the likelihood and/or impact of the threat
exploiting a vulnerability
What are the Controls ?
Governance• Assessing Risk• Organization design/steering• Communication• Monitoring
Preventive• Secure the network perimeter (Firewalls, IPS)• Secure the data (repository-level access control, DRM, DLP)• Physical security (badge access)• Confidentiality agreements• Workforce education (culture, behaviors)• Secure disposal of media (including hardcopy)• Contractual verbiage/third party assurance (for outsourced data)
What are the Controls ?
Detective– Intrusion detection (NIDS, HIDS)– Critical log review– Workforce monitoring (behavior changes, hoarding data)– Monitoring of information extraction/downloading
What are the Controls ?
What are the Controls ?
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
Layering of Controls
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Employee education
• Physical security surveillance
• Investigative processes
• Vehicle inspections
– “Network Perimeter” audits• Common Network access points• VPN/RAS, Firewalls/Proxy Servers, Circuits, Modems, Physical
Controls
– “Intellectual Property” specific audits• Where the data lives (ex: Crown Jewels)• Site, Application, Project specific or Hybrid
– “Cyber Security” audits• Organization’s ability to “sense and respond” to changing threat
landscape• Governance and Control assessments
– “Integrated” audits (strategy going forward)
How do we audit information protection controls ?
“Network Perimeter” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
“Intellectual Property” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
• Much more than “just” I/T controls• “Sense and respond” approach (peripheral vision)• Consider effectiveness of controls as a whole
– Layering of controls– Audit judgment required
• Position to avoid pre-audit window dressing• Finding broader issues
“Intellectual Property” Audit - Learnings
“Cyber Security” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
External Threat – Cyber Security
• It use to be that each company was it’s own little cyber kingdom and physical access was the king of control for external threats
• Thanks to the internet - everything touches everything so vulnerabilities have increased
• The number, ability and motives of external threats are also increasing
• Updated External Threat audit programs two years ago
External Threat – Cyber Security
• While press releases of APT compromises were out there little else was available on “APT what and how”
• Lacked expertise / experience to understand threat termed APT (Advanced Persistent Threat)
• Researched several firms specializing in APT• The project looked at the threat, it’s motives, processes
used to compromise a target and the controls required to slow down, detect and eradicate it.
External Threat – Cyber Security
• The APT is real and has more time and money to get at your IP than you have time and money to secure it.
• It is a paradigm shift from a controls perspective. The logic is “They will get to your data”….
• Preventive controls are there to slow them down so detective controls have time to identify the breach.
• Proper response is required to assure you get all of the comprise before they know you’re on to them.
• To date espionage has been the primary objective
External Threat – Cyber Security
Results - Two high level audit programs and insight into the
new breed of Cyber Threat
Governance• Organization & strategy• Key Relationships• Training and Awareness• Establishing the bar; COSO observations
Control Assessment• Preventive• Detective • Response
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda