Leadership Lab: Intellectual Property Series
This series of essays can help the IT manager learn how to identify and protect intellectual property and intangible assets.
Other Related Articles in Leadership Lab: Intellectual Property Series
10 Steps to Protect IP
Mar 13th, 2007
By Stephen Northcutt, Google+
The 10 key factors for protecting your assets should be an implementation priority for a computer security manager. Intellectual property comes under constant attack and if not protected and managed, the value of your organization will be reduced. "Given the enormous value of economic innovations and the intellectual property embedded in them, it is not surprising that the underlying ideas are often stolen by those who pirate or counterfeit patented or copyrighted technologies and products. The Organization for Economic Development (OECD) has estimated that counterfeiting and piracy costs companies as much as $638 billion a year, losses greater than the total GDP of all but 12 countries."1
In order to win the battle, you must believe in the fight. Understand the immense importance and value of IP in your organization. "In the United States alone, for example, studies in the past decade have estimated that over 50 percent of U.S. exports now depend on some form of intellectual property protection, compared to less then 10 percent 50 years ago."2 Make IP a priority. It is imperative that you implement clear and effective policies and procedures that are customized to your IP and environment.
Put forth the effort to fully identify and document your IP. Protection of intellectual property falls under the Information centric approach defense-in-depth concept. Think of concentric rings, at the center of the diagram is your information. However, the center is a container for anything you value. The rich question is, "What are you trying to protect?" You have to know what you have in order to protect it. After you have located your intellectual property is it possible to restrict all of it or some of it to a single section of the network? That would allow you to assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network.3 Don't forget to include the valuable intangible assets such as contracts, relationships, trade secrets and know how.
Utilize professional people or services to calculate and assign value to your IP. According to WIPO, "Acceptable methods for the valuation of identifiable intangible assets and intellectual property fall into three broad categories. They are market based, cost based, or based on estimates of past and future economic benefits."4 Review these values periodically, as the value of your IP may increase due to such factors as organizational or market growth.
Determine the risks that your IP faces. One way to do this is threat vector analysis. To employ vector oriented defense in depth: Identify the assets you want to protect, rack and stack the assets and work with the most valuable one first, brainstorm as many possible ways a threat could get to the asset as possible, figure out how to place controls on the vectors to prevent the threat from crossing the vulnerability.5 This will help you to channel and focus your offensive and defensive efforts.
Assemble an IP incident handling team. This should include technical as well as legal, HR, and public relations personnel. You may want to consider the SANS IP incident handling forms.6
Protect IP physically, technologically, and legally. Protect IP using defense-in-depth. Update access control systems to include IP. Have a shredding policy in place for IP waste. Use encryption on all forms of digital IP. Beware of IP and system exploits.
Keep system patches current. This is why a majority of systems are improperly protected.
Implement an IP management process to ensure that your IP is being properly protected over its entire life cycle, from authoring, to assembly, to distribution and archiving.7 This includes internal process so that IP developed by employees is owned by the organization, requirements to report discoveries, a process to commercialize IP, valuation of IP, attack detection and mitigation, and the eventual archiving of the IP.
Implement appropriate human and technological detection mechanisms. Set up a team to occasionally perform detection searches using tools like www.google.com. Keep key word lists used for searches up to date. Implement technology, such as intrusion detection systems (IDS), to detect IP moving on networks internally.
Audit all processes and systems in place to protect and detect IP.
Additionally, consult with legal counsel about your IP. Stay informed. Legal battles are won and lost every day. The outcome of these events can dynamically change the landscape in which we operate with regards to the legal provision provided for IP. These changes may have a great impact on your existing policies and procedures.
It is imperative that we all establish and maintain an understanding of the immense value IP presents to our organizations.
Note, there are other ten steps to protect IP articles that list different steps.8