Intellectual Property and Intellectual Property Rights Benefits of Securing IPRS
Auditing Protection of Intellectual Property
description
Transcript of Auditing Protection of Intellectual Property
![Page 1: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/1.jpg)
David CronkrightChuck Dudinetz
Paul Jones
Corporate Auditing
The Dow Chemical CompanyFebruary 16, 2012
Auditing Protection of Intellectual Property
![Page 2: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/2.jpg)
Agenda
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
![Page 3: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/3.jpg)
Agenda
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
![Page 4: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/4.jpg)
IP is an asset to be protected…
Technology
Business intelligence
Personal Data
What is IP and why do we care?
![Page 5: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/5.jpg)
IP can take a number of forms…Explicit – Electronically stored– Hardcopy– The “object” itselfTacit – Conversations – Presentations
What is IP and why do we care?
![Page 6: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/6.jpg)
Loss of IP can have significant consequences…– Loss of competitive advantage loss of business– Loss of licensing revenue– Loss of prospective M&A partner – Non-compliance with legal/regulatory requirements– Damage to reputation– Sabotage
What is IP and why do we care?
![Page 7: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/7.jpg)
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda
![Page 8: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/8.jpg)
What’s the risk ?
• Risk = Threat x Vulnerability x Consequence
![Page 9: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/9.jpg)
9
What’s the risk ?
![Page 10: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/10.jpg)
Threats…Industrial Espionage• Targeting & recruitment of insiders• Cyber intrusions• Dumpster diving• Establishment of business relationships… Increasingly highly organized, funded, and resourced
Hacktivism• Politically or socially motivated• Cause reputation damage
Cyber Crime• Profit motive
What’s the risk ?
![Page 11: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/11.jpg)
Potential Vulnerabilities…
Inherent vulnerabilities• Targeted industry ?• Geographic presence
Company culture• Culture of trust ?• Collaborative culture ?• Education & awareness• Weak policies & procedures… translate to behaviors
What’s the risk ?
![Page 12: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/12.jpg)
Potential Vulnerabilities (Cont’d)…
Workforce dynamics• Outsourcing• Turnover• Hiring practices• Employee morale
Facility• Weak physical security• Multi-tenancy• 3rd Party service providers• Open work space• Waste segregation and disposal• Poor handling of printed documents, portable media
What’s the risk ?
![Page 13: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/13.jpg)
Potential Vulnerabilities (Cont’d)…
I/T• Weak computer room security• Broadly accessible network ports• Unsecure data transfer• Inappropriate access to electronic repositories• Network perimeter• Susceptibility to malware
What’s the risk ?
![Page 14: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/14.jpg)
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda
![Page 15: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/15.jpg)
Controls :
Mitigate the likelihood and/or impact of the threat
exploiting a vulnerability
What are the Controls ?
![Page 16: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/16.jpg)
Governance• Assessing Risk• Organization design/steering• Communication• Monitoring
Preventive• Secure the network perimeter (Firewalls, IPS)• Secure the data (repository-level access control, DRM, DLP)• Physical security (badge access)• Confidentiality agreements• Workforce education (culture, behaviors)• Secure disposal of media (including hardcopy)• Contractual verbiage/third party assurance (for outsourced data)
What are the Controls ?
![Page 17: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/17.jpg)
Detective– Intrusion detection (NIDS, HIDS)– Critical log review– Workforce monitoring (behavior changes, hoarding data)– Monitoring of information extraction/downloading
What are the Controls ?
![Page 18: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/18.jpg)
What are the Controls ?
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
Layering of Controls
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Employee education
• Physical security surveillance
• Investigative processes
• Vehicle inspections
![Page 19: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/19.jpg)
– “Network Perimeter” audits• Common Network access points• VPN/RAS, Firewalls/Proxy Servers, Circuits, Modems, Physical
Controls
– “Intellectual Property” specific audits• Where the data lives (ex: Crown Jewels)• Site, Application, Project specific or Hybrid
– “Cyber Security” audits• Organization’s ability to “sense and respond” to changing threat
landscape• Governance and Control assessments
– “Integrated” audits (strategy going forward)
How do we audit information protection controls ?
![Page 20: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/20.jpg)
“Network Perimeter” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
![Page 21: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/21.jpg)
“Intellectual Property” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
![Page 22: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/22.jpg)
• Much more than “just” I/T controls• “Sense and respond” approach (peripheral vision)• Consider effectiveness of controls as a whole
– Layering of controls– Audit judgment required
• Position to avoid pre-audit window dressing• Finding broader issues
“Intellectual Property” Audit - Learnings
![Page 23: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/23.jpg)
“Cyber Security” Audit
Preventive Detective
I/T
Non-I/T• Information handling policies
• Confidentiality agreements
• Background checks
• Workforce onboarding & offboarding
• Workforce behavior monitoring
• Badge access• Work area
segregation
• Clean desk policy
• Locked cabinets
• Document & media disposal
• Computer room security
• Secured network ports
• Encrypted data transfer• Data Loss
Prevention (DLP)
• Firewalls
• Intrusion Prevention
• Antivirus
• Information access monitoring
• Patching
• Intrusion Detection
• Information classification
• I/T access control - Repository level - Data level (DRM)
• Strong passwords• Elevated access
• Network segmentation• Egress traffic
• Security incident response
• Logging - Capture - Retention - Analysis
• Vulnerability scanning
• Asset identification & inventory
• Application whitelisting
• Workforce offboarding
• Physical security surveillance
• Investigative processes
• Vehicle inspections
• Employee education
![Page 24: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/24.jpg)
External Threat – Cyber Security
• It use to be that each company was it’s own little cyber kingdom and physical access was the king of control for external threats
• Thanks to the internet - everything touches everything so vulnerabilities have increased
• The number, ability and motives of external threats are also increasing
• Updated External Threat audit programs two years ago
![Page 25: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/25.jpg)
External Threat – Cyber Security
• While press releases of APT compromises were out there little else was available on “APT what and how”
• Lacked expertise / experience to understand threat termed APT (Advanced Persistent Threat)
• Researched several firms specializing in APT• The project looked at the threat, it’s motives, processes
used to compromise a target and the controls required to slow down, detect and eradicate it.
![Page 26: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/26.jpg)
External Threat – Cyber Security
• The APT is real and has more time and money to get at your IP than you have time and money to secure it.
• It is a paradigm shift from a controls perspective. The logic is “They will get to your data”….
• Preventive controls are there to slow them down so detective controls have time to identify the breach.
• Proper response is required to assure you get all of the comprise before they know you’re on to them.
• To date espionage has been the primary objective
![Page 27: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/27.jpg)
External Threat – Cyber Security
Results - Two high level audit programs and insight into thenew breed of Cyber Threat
Governance• Organization & strategy• Key Relationships• Training and Awareness• Establishing the bar; COSO observations
Control Assessment• Preventive• Detective • Response
![Page 28: Auditing Protection of Intellectual Property](https://reader035.fdocuments.in/reader035/viewer/2022062315/568166b2550346895ddab3db/html5/thumbnails/28.jpg)
• About Dow
• What is IP and why do we care?
• What’s the risk?
• What are the key controls?
• How do we audit information protection controls?
• Questions & Answers
Agenda