NoticeBored blog

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Labels: Awareness, ISO27000, Physical, Privacy, Trade secrets

Two US citizens have been charged with economic espionage, theft of trade secrets and conspiracy to steal microchip designs from Netlogics Microsystems, their employer, and Taiwan Semiconductor Manufacturing Corporation, to sell to the Chinese army. If convicted, they could be sentenced to 15 years in prison.

Labels: Trade secrets

The McLaren-Ferrari industrial espionage incident is drawing to a close with McLaren being fined $100m by the FIA and losing all their points in the constructors' championship. McLaren's drivers who top the drivers' championship have been spared the whip, thanks in part to their cooperation with the FIA's investigation.

Labels: Incidents, Trade secrets

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Labels: Audit, Awareness, Confidentiality, Governance, Incidents, Infosec, Network, Risk, Trade secrets

Lawyers acting for the US Federal Trade Commission in an anti-trust case against a food company released inadequately-redacted documents, thereby disclosing highly sensitive proprietary information about the company's competitive strategies - "dozens of trade secrets" according to the Washington Post article. The failed redaction attempt involved pasting black blocks over the relevant text but since the original text was there 'underneath', it was a simple matter to remove the blocks from the electronic documents published. After being alerted to the gaffe, the lawyers printed and scanned the redacted documents: the hidden text cannot be revealed from the published scanned images, but of course it's all too late since Associated Press got the originals.

Labels: Trade secrets

CA is seeking $200m (!) from Rocket Software, claiming they used CA's intellectual property for their own database management system.

"The management software giant said in the complaint that Rocket hired programmers and software developers formerly employed by CA or Platinum technology International, which CA acquired in 1999. These employees (Mark Pompeii, Robert Schulien, Michael Skopec, and David Rowe), used CA's source code and development environment to fashion Rocket's software tools for the IBM DB2 relational database management system, CA alleged."

The transfer of intangible intellectual property in the form of employees' accumulated knowledge and experience is a frequent cause of trade secret disputes. The courts have a tough time differentiating deliberate theft and abuse of trade secrets from application of general knowledge, experience, competencies and skills. Employees who move to a new employer inevitably find it hard to stop thinking about their previous position and unintentionally transferring proprietary information to the new. Former employers have problems proving that proprietary information was disclosed or taken by leavers, especially without hard evidence (e.g. data transfer media, email records etc.)

Labels: Trade secrets

Autosport brings together all the news on the Ferrari-McLaren spy story on one handy page. The FIA and court action continues off the track. Did McLaren bosses know their Chief Designer was in possession of Ferrari's trade secrets? And if Ferrari bosses were suspicious of Nigel Stepney for months, how come they didn't suspend him much earlier?

Labels: Confidentiality, Trade secrets

An IT professional has been accused of hacking into a former employer's server to 4,000 confidential documents:

"A press note issued by S. Balu, Deputy Superintendent of Police, Cyber Crime Cell, said police had arrested M.S. Ramasamy, a 37-year-old software engineer from Avadi, on charges of hacking and stealing confidential and proprietary information from the server of Caterpillar, a US-based construction and mining company ... When contacted, Mr. Balu said the accused had gained access to the company’s server headquartered at Peoria in Illinois, US, using another employee’s user ID and password and downloaded over 4,000 confidential documents. A closed circuit camera had visuals of him accessing the server at the time when the files were downloaded. "

Labels: Hacking, Secrecy, Trade secrets

Continuing the flow of innovative security awareness materials, we have released another completely new NoticeBored Classic module about protecting trade secrets. This module complements and extends May’s module on insider threats and June’s on privacy and data protection. Organizations need to protect valuable information assets including sensitive commercial or proprietary information such as descriptions of their unique business processes and ingredients, customer lists, product and corporate development plans, financial models and results. The module looks at practices ranging from competitive intelligence at one end of the ethics/legality scale to industrial espionage and information warfare at the other, covering all points in between. It’s important to realize that competitors may not share our moral values and respect for the law so do pay attention: forewarned is forearmed!

Labels: Awareness, Confidentiality, Insider, Trade secrets

2006 Technology Collection Trends in the U.S. Defense Industry, an unclassified report released in June 2006 by the US Defense Security Service Counterintelligence Office, notes espionage incidents involving 106 foreign countries in 2005 (up from 90 the year before), a handful of which are briefly outlined in the appendix. Information systems are not surprisingly the most frequent targets for those seeking, um, information. The body of the report summarizes typical spy tactics and presents countermeasures in succinct tables like the one shown above. The same tactics and countermeasures apply whether the targets are military secrets or proprietary IP - in fact, they are often one and the same (so-called 'economic espionage').

More IPR resources

Labels: Confidentiality, IPR, Trade secrets

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets

Labels: Confidentiality, Infosec, Risk, Secrecy, Trade secrets

The latest CSO ezine contains an eye-opening assessment of the risk of 'economic espionage' (a.k.a. industrial espionage or intellectual property theft). Secrets Stolen, Fortunes Lost recounts several case studies and makes the point that traditional security measures are no longer effective in today's e-everything world. Information security threats require different controls, and in turn this requires senior management to update their attitudes towards securing the company's crown jewels. Simply acknowledging the value of their proprietary and personal information would be a good start, let alone recognising the vulnerabilities and impacts of information security breaches.
More IPR resources

Labels: Confidentiality, Infosec, IPR, Risk, Trade secrets

As a former NSA employee, Ira Winkler is well known on the speaking circuit for disclosing some of the cloak-and-dagger techniques used by genuine spies. His book, Spies Among Us, should be required reading for all MBA students and managers. Secrets of Superspies, a conference keynote presentation by Ira, has the usual hallmarks of his case-study style plus the analysis to explain why corporate espionage is a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors. It's enough to make me even more paranoid.
More confidentiality, social engineering and hacking resources

Labels: Confidentiality, Hacking, Social engineering, Trade secrets

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

Labels: Confidentiality, Malware, Privacy, Secrecy, Trade secrets

This slightly xenophobic article nevertheless analyzes the threat of theft of proprietary information. "Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. 'Seventy-five to 85 percent of all theft per se is done by an insider,' said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association."
More confidentiality resources

Labels: Confidentiality, Insider, Secrecy, Trade secrets