After you identify the crown jewels, in this case the intellectual property (IP), identify the people, the processes, the procedures, the functions and, yes, the people (re-emphasising the people requirement) that either deal directly or indirectly with the IP (and that includes third-party providers).
Once you have all the necessary inventory at hand, engage the legal and human resources departments to identify the best approach. Some topics for discussion include:
- Third-party contract review;
- Third-party assessments for security due diligence;
- Vetting the critical resources (read humans) – most companies still do not carry out background checks on their senior executives.
Read more on protecting IP
An additional approach could be:
- Align the security strategy with the business strategy and ensure that any projects, big or small, first and foremost, align with the key strategic objectives;
- The information security officer must be a key member of the organisation's project management office or equivalent, and consequently there must be appropriate infosec gates or checkpoints throughout, starting at the conceptual stage;
- In addition, IT operations and infosec need to work together to ensure that new software and tools, that are normally considered for purely cost-saving reasons, must be vetted by the information security office to ensure that the output and benefits of such work are in line with the overall strategic objectives.
Amar Singh is chair of Isaca Security Advisory Group.
This was first published in August 2013