ASIS Information Asset Protection Council...ASIS Information Asset Protection Council INTERNATIONAL...

1

Information Asset Protection CouncilASISINTERNATIONAL

Market Entry Planning for

Information Asset Protection

in a Global Economy

Sponsored by the ASIS International

Information Asset Protection Council

September 24, 2007

Presented by:Richard J. Heffernan, CPP, CISMMichael D. MoberlyKevin E. Peterson, CPP


What we will discuss today . . .What we will discuss today . . .

� Why do we need “New Directions?”

� What are those “New Directions?”

� What resources are available?

� A quick look at the Global Economy of the 21st Century

� Two key elements:

� Market Entry Planning in today’s Global Environment

� Risk Assessment and Due Diligence

2


“We need to transition from a Cold War era ‘Information Security’approach to a point where comprehensive ‘Information Asset Protection’ strategies are seamlessly integrated into the Enterprise Security Risk Management process.”

Kevin E. Peterson, CPPVice Chair, ASIS Information

Asset Protection Council


Why do we need a new approach to IAP ?Why do we need a new approach to IAP ?

A new global business environment

Multiple asymmetric and

tough-to-define threats

Pace and intensity of business transactions

Regulatory Requirements

3


Why do we need a new approach to IAP ?Why do we need a new approach to IAP ?

�� 75% of value, sources of revenue, and wealth 75% of value, sources of revenue, and wealth creation lie in information assets (IP, intangible creation lie in information assets (IP, intangible assets, competitive advantage)assets, competitive advantage)

�� Relying solely on checklists leads to complacency Relying solely on checklists leads to complacency and tunnel vision and tunnel vision –– not “true” risk managementnot “true” risk management

�� Asymmetric Asymmetric andand continuous threats aboundcontinuous threats abound

�� We need to avoid the “herd mentality”We need to avoid the “herd mentality”

�� Today’s environment mandates a “big picture” Today’s environment mandates a “big picture” (comprehensive) approach(comprehensive) approach


A New Comprehensive ApproachA New Comprehensive Approach

Traditional Security

Due Diligence

Risk Assessment

Product SecurityI P Protection

Market Entry Planning

and Monitoring

Regulatory Compliance

Counter Competitive Intelligence

Export Control

Enterprise Risk Management

Liability Management

4


Resources Available Through ASIS . . .Resources Available Through ASIS . . .

Trends in Proprietary Information Loss Survey

Information Protection Toolkit

Protection of Assets Manual

Visit our Council Web Site at www.asisonline.org/councils/SPI.xml


Today’s GlobalToday’s GlobalBusinessBusiness

EnvironmentEnvironment

. . . Risks are Dynamic and Must Be Closely Monitored

. . . Interdependencies are constantly growing in complexity

. . . Cultural factors play an important role

. . . Threats are less well-defined

5


Some Circumstances that are bringing new challenges to information assets protection . . .

1. Data mining

- Ideas and innovation targeted at earliest stages of development

2. Insiders

- Elevated sense of ‘global community’ leads to rationalization

- Recognizing asset value + receptive buyers + ready markets

3. Country GDP’s - Increasingly reliant on infringement - counterfeiting as income sources

4. Legacy free adversaries

- Absent conventional notion of property rights

Left unchecked, probabilities become inevitabilitie s…

New Threats New RisksNew Threats New Risks


Where are we heading?Where are we heading?

A A newnew approachapproach for conducting risk assessments and for conducting risk assessments and

due diligence for information assets…due diligence for information assets…

-- Know your economic adversaries and Know your economic adversaries and

competitorscompetitors

-- Risk Assessments/Due Diligence MUST be Risk Assessments/Due Diligence MUST be

much more than “much more than “snapsnap--shotsshots--inin--time”time”

-- Market entry planning must also includeMarket entry planning must also include

asset monitoringasset monitoring

6


Managing Risk To Information AssetsManaging Risk To Information Assets

It is often said in the business world that “you can’t manage it if you can’t measure it.”

� Risk assessments should identify, quantify & prioritize risks against the organizations goals & criteria for risk acceptance.

� The results of an assessment should help in selection and prioritization of management actions for managing identified risks & implementation of appropriate options to address those risks.

1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM


Identifying Business Objectives And Identifying Business Objectives And

Potential Risks To Achieving Those ObjectivesPotential Risks To Achieving Those Objectives 11

� Identify information asset protection related risks Identify information asset protection related risks

thru thru Risk Assessments, , Due diligenceDue diligence & & Market Entry Market Entry

Planning and MonitoringPlanning and Monitoring. .

�� Calculate the likelihood of occurrence & impact.Calculate the likelihood of occurrence & impact.

�� Plot the risks on risk graph to help identify the most Plot the risks on risk graph to help identify the most

critical risks.critical risks.

�� Calculate the financial impact of the most critical Calculate the financial impact of the most critical

risks and the cost /benefit risk/ reward of the risks and the cost /benefit risk/ reward of the

available options for addressing the risks. available options for addressing the risks.

�� Create a process for Create a process for ongoing monitoring of risks.ongoing monitoring of risks.


7


Market Entry Planning & MonitoringMarket Entry Planning & Monitoring

Market Entry PlanningMarket Entry Planning should include:should include:

�� Identify and assign value to any IPR’S and proprietary Identify and assign value to any IPR’S and proprietary competitive advantages that are part of any transaction. competitive advantages that are part of any transaction.

�� I.D. & assess issues related to existing/potential competitors.I.D. & assess issues related to existing/potential competitors.�� Perform a Perform a Due DiligenceDue Diligence of any potential partnersof any potential partners�� Review all markets well prior to entry for existing Review all markets well prior to entry for existing

infringements of I.P. Rights of yours or similar products.infringements of I.P. Rights of yours or similar products.�� Review IPR registration requirements in each market.Review IPR registration requirements in each market.�� Assess the ability of each jurisdiction’s IP laws to support Assess the ability of each jurisdiction’s IP laws to support

continued use, ownership and control of your organizations continued use, ownership and control of your organizations IPR & proprietary competitive advantages during and after any IPR & proprietary competitive advantages during and after any business deal. business deal.



Market Entry Planning & MonitoringMarket Entry Planning & Monitoring 11

Market MonitoringMarket Monitoring should include:should include:

�� Set up a monitoring/sampling program of both Internet and Set up a monitoring/sampling program of both Internet and

brick & mortar sites to detect & evaluate IPR ( Intellectual brick & mortar sites to detect & evaluate IPR ( Intellectual

Property Rights) infringement and competing products.Property Rights) infringement and competing products.

�� Identify specific issues that may erode the value of or Identify specific issues that may erode the value of or

effect the use, ownership or control of your IPR and effect the use, ownership or control of your IPR and

proprietary competitive advantagesproprietary competitive advantages

�� Monitor and gather intelligence on existing & potential Monitor and gather intelligence on existing & potential

competitors actions that may effect your IPR’s & competitors actions that may effect your IPR’s &

proprietary competitive advantages.proprietary competitive advantages.

�� Monitor IPR registration activity.Monitor IPR registration activity.


8


Potential partner ties to any foreign governmentsPotential partner ties to any foreign governments

Potential partner links to other firms, with IPR violations, traPotential partner links to other firms, with IPR violations, trade de

complaints or export control issuescomplaints or export control issues

Reputation of the potential partner in IPR issues including;Reputation of the potential partner in IPR issues including;••IPR violations, infringements of patents, trademarks & copy righIPR violations, infringements of patents, trademarks & copy rights ts ••Trade complaints Trade complaints ••Export control issuesExport control issues••Track record of involvement in targeting of proprietary or tradeTrack record of involvement in targeting of proprietary or trade

secret information through open, illegal or unethical means. secret information through open, illegal or unethical means. ••Civil or criminal court records to the extent allowed by law.Civil or criminal court records to the extent allowed by law.

••Financial metrics and performance of the potential partnerFinancial metrics and performance of the potential partner--••Identify ownership of organization and the citizenship status oIdentify ownership of organization and the citizenship status of all f all

ownersowners••Identify other business assets and business interests of ownersIdentify other business assets and business interests of owners••Previous employment of ownersPrevious employment of owners

Due Diligence Process ElementsDue Diligence Process Elements……* Adapted from the ASIS 2006 Trends Proprietary Information Loss* Adapted from the ASIS 2006 Trends Proprietary Information Loss SurveySurvey


� Identify Management Objectives

� Event/ Risk Identification

� Risk Assessment

� Risk Response

� Control Activities

� Communications

� Monitoring

Risk Management FrameworkRisk Management Framework 11


9


Risk Management FrameworkRisk Management Framework 11

� Identify Management Objectives -Interview or survey division & business unit management & staff to identify information assets,

business objectives, financial goals & risk appetite.

� Event/ Risk Identification -Identify internal and external events or risks with the potential to affect achievement of business objectives.

� Risk Assessment - Risks (taking into account both threats & vulnerabilities) are analyzed considering likelihood and impact as a basis for determining how they should be managed.

� Risk Response - Management selects responses- avoiding, accepting, reducing or sharing risk- developing a set of actions to align risks with the entity’s risk tolerance.



Risk Management FrameworkRisk Management Framework 11- continued

� Control Activities- Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

� Communications – Relevant information is communicated across the entity in a form and timeframe that enables people to carry out their responsibilities.

� Monitoring –Risks and risk responses to IP rights and proprietary competitive advantages are monitored and adjustment are made as necessary


10


Competition for orphan drug status, intense competitive Competition for orphan drug status, intense competitive intelligence targeting has been identified related to intelligence targeting has been identified related to competitive issues re: efficacy and adverse reactions vs. competitive issues re: efficacy and adverse reactions vs. competing product offcompeting product off--site scientific meetings and FDA site scientific meetings and FDA

Panel meeting rehearsals may be targeted.Panel meeting rehearsals may be targeted.Information security practices of partner may not support Information security practices of partner may not support company programcompany program

Product CProduct CcompletingcompletingPhase 3 Clinical Phase 3 Clinical TrialsTrials-- Preparing for Preparing for

FDA Panel hearingFDA Panel hearing

Specifics of 2nd generation of product in R&D needs Specifics of 2nd generation of product in R&D needs protection over extended time period and may be protection over extended time period and may be targeted by competitive intelligence gathering attempts targeted by competitive intelligence gathering attempts

at business & scientific offat business & scientific off--site meetings.site meetings.

Product BProduct BCurrent MKT XX Current MKT XX 75% US 25% Int.75% US 25% Int.

MKT Potential XX in MKT Potential XX in 20XX20XX

Press release withoutPress release without P.R. and security input contains P.R. and security input contains

information that has the potential to cause increased risk information that has the potential to cause increased risk of kidnapping at international sales office or product of kidnapping at international sales office or product theft at distribution warehousetheft at distribution warehouse

Product AProduct A

Current MKT XX Current MKT XX 60% US 40% Int.60% US 40% Int.MKT Potential XX in MKT Potential XX in 20XX20XX

Risks Identified through Risks Identified through

interviews, assessments, dueinterviews, assessments, due--diligence & monitoringdiligence & monitoring 11



Competitors targeting process technology Competitors targeting process technology

Mfg. Capacity information targetedMfg. Capacity information targetedCompetition recruiting process engineersCompetition recruiting process engineers

Project 2Project 2

Improvement in mfg. Improvement in mfg. yield for yield for ““DD”” 20XX20XX

New location in university research center may be New location in university research center may be

targeted by special interest groupstargeted by special interest groupsInformation security issues caused by shared space in Information security issues caused by shared space in research parkresearch parkRequirement to work with H.R. to limit identification of Requirement to work with H.R. to limit identification of

sensitive new product info in adsensitive new product info in ad’’s and interviews.s and interviews.

Project 1Project 1

New R & D Facility In New R & D Facility In planningplanning

Risk assessment has identified: The need for IPR due Risk assessment has identified: The need for IPR due

diligence of potential distributors and market diligence of potential distributors and market monitoring.monitoring.The potential for problems due to price differential. The potential for problems due to price differential. Internet sources offering product below U.S. prices.Internet sources offering product below U.S. prices.Individual serialization needed to help ID legitimate Individual serialization needed to help ID legitimate

product & allow track and trace of suspect products.product & allow track and trace of suspect products.

Product DProduct D

Acquired through Acquired through mergermergerMKT Potential X in MKT Potential X in 20XX20XX

Risks Identified throughRisks Identified through

interviews, assessments, dueinterviews, assessments, due--diligence & monitoringdiligence & monitoring 11


11


M M

* Note Impact * Note Impact increasingincreasing

HH

HH

LL

HH

Impact Of Impact Of Incident Incident OccurringOccurring

MMLLInformation security practices Information security practices of partnerof partner

DD

MH MH

* * ranking subject ranking subject

to changeto change

H H

* Note occurrence * Note occurrence increasingincreasing

Price differential between Price differential between countries will result in cross countries will result in cross border trade resulting in lost border trade resulting in lost income.income.

EE

MM--HHMMTargeting of offsite meeting re: Targeting of offsite meeting re: product Cproduct C

CC

LLLLPress Release without security Press Release without security or P.R. input will cause serious or P.R. input will cause serious security issuesecurity issue

BB

HHHHIdentification of specifics of Identification of specifics of second generation of Product Bsecond generation of Product B

AA

Risk Risk RankingRankingScoreScore

Likelihood Likelihood Of Of

OccurrenceOccurrence

Representative sample of Representative sample of identified events/ risks identified events/ risks

Risk orRisk orEventEvent

IdentifierIdentifier

Ranking Risks Based on Business Impact and Likelihood of Ranking Risks Based on Business Impact and Likelihood of

OccurrenceOccurrence 1



HH

MM

HH

HH

MM

Impact Of Impact Of Incident Incident OccurringOccurring

LL--MMLLTargeting of Manufacturing Targeting of Manufacturing

CapacityCapacityII

HHHHTargeting of process technologyTargeting of process technologyJJ

HHHHIPR due diligence of potential IPR due diligence of potential

partners / distributors needed partners / distributors needed

for high risk areas or productsfor high risk areas or products

HH

HHHHNeed for individual serialization Need for individual serialization

of products to aid in track & of products to aid in track &

trace & identification of diverted trace & identification of diverted

or suspected counterfeit or suspected counterfeit

productsproducts

GG

MM--HHHHInternet sources offering product Internet sources offering product

prices less than U. S. priceprices less than U. S. priceFF

Risk Risk RankingRankingScoreScore

Likelihood Likelihood Of Of

OccurrenceOccurrence

Representative sample of Representative sample of identified events/ risks identified events/ risks

Risk orRisk orEventEvent

IdentifierIdentifier

Ranking Risks Based on Business Impact and Likelihood of OccurreRanking Risks Based on Business Impact and Likelihood of Occurrencence11


12


Low Impact Medium Impact High Impact

Low ------Likelihood of occurrence---High

Using risk ranking to identify Using risk ranking to identify

the most critical risksthe most critical risks


Prioritizing Critical Risk/Reporting to ManagementPrioritizing Critical Risk/Reporting to Management 11

The risk assessment process may produce a long list of identified risks that need to be prioritized. Issues to be considered include:

� The financial impact of loss should be calculated for the most critical risks.

� A cost/benefit – risk/return analysis of management options for addressing the most critical risks should be performed.

� Significant changes in risk or asset value due to loss should bereported to an appropriate level of management on a event driven or periodic basis.

� Risks to proprietary competitive advantages and I. P. rights need to be monitored.


13


Risk Response OptionsRisk Response Options **

Management selects risk response options in developing a set of actions to align risks with the organization’s risk tolerance and risk appetite.

� Risk Reduction - Employing security and other measures to mitigate threats, reduce vulnerabilities or lessen the impact ofan undesirable event.

�� Risk TransferRisk Transfer -- A standard management process whereby A standard management process whereby some or all of the risk is assigned to others (such as an some or all of the risk is assigned to others (such as an insurance carrier, supplier or vendor). insurance carrier, supplier or vendor).

�� Risk SpreadingRisk Spreading -- The practice of dispersing assets The practice of dispersing assets geographically or otherwise so as to limit the consequences geographically or otherwise so as to limit the consequences of an attack or undesirable event in any one location.of an attack or undesirable event in any one location.

�� Risk AvoidanceRisk Avoidance –– Avoiding risk by not allowing actions that Avoiding risk by not allowing actions that would cause a risk to occur (this may, however, limit the would cause a risk to occur (this may, however, limit the organization’s ability to perform its mission).organization’s ability to perform its mission).

�� Risk AcceptanceRisk Acceptance -- Recognizing and accepting a certain degree Recognizing and accepting a certain degree of residual risk (sometimes expressed as a dollar value) of residual risk (sometimes expressed as a dollar value) according to some preaccording to some pre--set criteria or threshold. set criteria or threshold.

* Source ASIS Information Asset Protection Guideline & ASIS POA * Source ASIS Information Asset Protection Guideline & ASIS POA Manual 2007Manual 2007


Risk response considerations when choosing Risk response considerations when choosing

options to address identified risksoptions to address identified risks**

The choice of options as well as the specific security conThe choice of options as well as the specific security controls trols employed to reduce risk should be based on management employed to reduce risk should be based on management issues such as:issues such as:

•• Goals and objectives of the organizationGoals and objectives of the organization

•• Operational requirements and constraints Operational requirements and constraints

•• Contractual requirements, obligations and constraintsContractual requirements, obligations and constraints

•• Applicable local, national and international laws and Applicable local, national and international laws and regulationsregulations

•• Unique regional or cultural issuesUnique regional or cultural issues

•• Cost of risk reduction in relation to risk reduction Cost of risk reduction in relation to risk reduction benefit benefit

•• Cost of risk reduction in relation to other Cost of risk reduction in relation to other organizational funding issuesorganizational funding issues

* Source ASIS Information Asset Protection Guideline & ASIS POA * Source ASIS Information Asset Protection Guideline & ASIS POA Manual 2007Manual 2007

14


The Bottom Line . . .The Bottom Line . . .

“Assessing and addressing risks enables business.Security’s role is to help organizations assess and address risk to enable business transactions.” *

* Richard J. Heffernan, CPP, CISM

ASIS Information Asset Protection Council...ASIS Information Asset Protection Council INTERNATIONAL...

Documents

Transcript of ASIS Information Asset Protection Council...ASIS Information Asset Protection Council INTERNATIONAL...