Computerworld - When I was invited to a meeting to discuss audits and saw that some representatives of a Big Four consulting company would be there, I was glad the time was open in my schedule. I don't have any money in my budget for external audits, much as I would like to, and I wanted to hear what was being planned.
At the meeting, I discovered that our chief financial officer had hired an internal auditor, who then received a nice budget for some external audits. Listening to the new auditor talk, it was clear that he didn't know much about our company, and he knew nothing about the assessments I had conducted.
I filled him in on what I did and also noted that the last time our company hired a Big Four firm to conduct a risk assessment, we ended up with some nice-looking binders, which are currently collecting dust in several offices around the company. Of course, we got more out of the assessment than that. For example, we got a soft copy of the report, which I posted on the intranet. Although I've announced its availability many times, no one has ever accessed it.
Issue: There's no funding available for a monitoring tool that could help ensure that IP doesn't wind up in the wrong hands.
Action plan: "Steer" an external audit so the report shows how essential this tool is.
With such a dismal result last time, why am I so keen for another external audit? Because I've decided to take a different approach this time. Rather than have someone get big bucks to tell me something I already know, I want to steer this audit into directions that will accelerate some initiatives regarding intellectual property (IP) protection.
I've been trying for some time now to get valuations of our IP. So far, I haven't been able to get the lines of business to take the time to assess the value of the IP they are responsible for. What sort of financial hit would we take if some of the company's source code, design documents or service manuals were lost or stolen? (I've written about some of this before.) I know that the consequences wouldn't be pretty, but I don't have any real numbers.
I want this audit then to identify our most critical and valuable data. If our CFO is willing to spend upward of $40,000 for this audit engagement, the business divisions will surely take the time to meet with the consultants. I want the auditors to come back with a report that identifies critical IP and places a monetary value on that data. Then I would like them to evaluate our ability to protect that data. I know that they will find that our IP resides in many data repositories, including network file shares (on both Unix and Windows), tape drives, SANs, local desktops, e-mail attachments and public folders.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
