Computerworld - From the day I arrived at this company, I've had the protection of our intellectual property on my radar. It's been a part of my information security road map, but I've never been able to fully implement my plans, because I haven't had the resources I needed. Now those constraints might disappear.
This prospect has arisen thanks to the company's internal audit group. That group has always been focused on financial audits, but it just completed a comprehensive audit of other areas, and IP protection emerged among the top three challenges we face. The auditors report to the board of directors, who naturally have a lot of influence over the executive staff. That means money could start flowing to new priorities, and I want to be first in line. But I'll have to dust off (and possibly modify) that road map for IP protection.
At issue: The audit group wants more done to safeguard intellectual property.
Action plan: Dust off the IP protection road map.
My larger security road map focuses on four main areas: people, processes, policies and technology. IP protection is a factor in each one. Here are the basics of what I think we need in each area to ensure the security of our IP.
People: The main goal here is to change employees' behavior, which will require helping them understand what IP protection means, how to recognize IP, how to protect it and how to spot indicators of abuse. I've always wanted to create an interactive IP protection training video that would let us gauge employees' understanding of the material as they go along. So far, I've only had the resources to put together a series of PowerPoint slides.
Processes: We need to make sure that the processes we use to identify, handle and protect IP and to report suspicious activity are optimized for the goal of safeguarding the IP. I've already deployed technology that could provide a process for protecting data and detecting breaches. But it hasn't been widely taken up, and I need to get the momentum going to expand its use.
Policies: I've already written plenty of policies; that doesn't cost anything. What we need to focus on is disseminating those policies to employees. A policy that sits unread on a Web site does no good. We can tell employees to read the policies, but that won't do much good either. That's because prosecution of an employee who steals IP can't go forward unless there's evidence that he knew he wasn't supposed to do something like send IP to his home e-mail account. What we need is to have the employees state in writing that they understand our IP protection policies.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
