Security Think Tank: Follow an information-led, risk-based process to protect IP

Opinion

Security Think Tank: Follow an information-led, risk-based process to protect IP

Intellectual Property (IP) theft – whether by competitors or states – has been occurring for a long time. Traditional approaches of protecting IP involve patents, copyrights, trademarks, physical security (locking documents away), classifying documents using a labelling scheme and staff education.

These traditional approaches are still valid today, and may need to be strengthened. They should also be supplemented by a range of electronic approaches. 

40199_Security-think-tank.jpg

These include electronic licensing, encryption, data classification, access control, logically or physically separate networks, and providing "clean" devices to staff travelling to countries where IP theft is likely. All approaches are complicated by the demands of international travel, collaborative working, the need to share information (including IP) in the supply chain, consumerisation, and the cloud.

Information Security Forum (ISF) research has shown that protecting your IP can follow an information-led, risk-based process similar to that used to protect information in your supply chains, as discussed in the Securing the Supply Chain reports and tools. 

The process is modified to reflect the greater control over your own organisation and staff, and compromises eight steps:

  1. Understand what you have and what you share
  2. Quantify the effect of losing information: what information, if lost, would hurt us most?
  3. Introduce a physical and electronic labelling scheme
  4. Deploy physical and logical controls: for example, clear desks, lockable cabinets, encryption and access control
  5. Educate your staff in both physical and electronic protection
  6. Investigate and implement technical solutions, such as data loss prevention
  7. Record and manage incidents and breaches: check for relationships and correlation
  8. Think like the thief: identify valuable information and how you would circumvent its protection.

Such a process should yield a mix of physical and electronic approaches that provide the required protection for your organisation and your IP.


Adrian Davis is principal research analyst at the Information Security Forum (ISF).

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in August 2013

 

COMMENTS powered by Disqus  //  Commenting policy