1 / 28

Auditing Protection of Intellectual Property

Auditing Protection of Intellectual Property. David Cronkright Chuck Dudinetz Paul Jones. Corporate Auditing The Dow Chemical Company. February 16, 2012. Agenda. About Dow What is IP and why do we care? What’s the risk? What are the key controls?

melora
Télécharger la présentation

Auditing Protection of Intellectual Property

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Protection of Intellectual Property David Cronkright Chuck Dudinetz Paul Jones Corporate Auditing The Dow Chemical Company February 16, 2012

  2. Agenda • About Dow • What is IP and why do we care? • What’s the risk? • What are the key controls? • How do we audit information protection controls? • Questions & Answers

  3. Agenda • About Dow • What is IP and why do we care? • What’s the risk? • What are the key controls? • How do we audit information protection controls? • Questions & Answers

  4. What is IP and why do we care? IP is an asset to be protected… • Technology • Business intelligence • Personal Data

  5. What is IP and why do we care? IP can take a number of forms… Explicit • Electronically stored • Hardcopy • The “object” itself Tacit • Conversations • Presentations

  6. What is IP and why do we care? Loss of IP can have significant consequences… • Loss of competitive advantage  loss of business • Loss of licensing revenue • Loss of prospective M&A partner • Non-compliance with legal/regulatory requirements • Damage to reputation • Sabotage

  7. Agenda • About Dow • What is IP and why do we care? • What’s the risk? • What are the key controls? • How do we audit information protection controls? • Questions & Answers

  8. What’s the risk ? • Risk = Threat x Vulnerability x Consequence

  9. What’s the risk ?

  10. What’s the risk ? Threats… Industrial Espionage • Targeting & recruitment of insiders • Cyber intrusions • Dumpster diving • Establishment of business relationships … Increasingly highly organized, funded, and resourced Hacktivism • Politically or socially motivated • Cause reputation damage Cyber Crime • Profit motive

  11. What’s the risk ? Potential Vulnerabilities… Inherent vulnerabilities • Targeted industry ? • Geographic presence Company culture • Culture of trust ? • Collaborative culture ? • Education & awareness • Weak policies & procedures … translate to behaviors

  12. What’s the risk ? Potential Vulnerabilities (Cont’d)… Workforce dynamics • Outsourcing • Turnover • Hiring practices • Employee morale Facility • Weak physical security • Multi-tenancy • 3rd Party service providers • Open work space • Waste segregation and disposal • Poor handling of printed documents, portable media

  13. What’s the risk ? Potential Vulnerabilities (Cont’d)… I/T • Weak computer room security • Broadly accessible network ports • Unsecure data transfer • Inappropriate access to electronic repositories • Network perimeter • Susceptibility to malware

  14. Agenda • About Dow • What is IP and why do we care? • What’s the risk? • What are the key controls? • How do we audit information protection controls? • Questions & Answers

  15. What are the Controls ? Controls : Mitigate the likelihood and/or impact of the threat exploiting a vulnerability

  16. What are the Controls ? Governance • Assessing Risk • Organization design/steering • Communication • Monitoring Preventive • Secure the network perimeter (Firewalls, IPS) • Secure the data (repository-level access control, DRM, DLP) • Physical security (badge access) • Confidentiality agreements • Workforce education (culture, behaviors) • Secure disposal of media (including hardcopy) • Contractual verbiage/third party assurance (for outsourced data)

  17. What are the Controls ? Detective • Intrusion detection (NIDS, HIDS) • Critical log review • Workforce monitoring (behavior changes, hoarding data) • Monitoring of information extraction/downloading

  18. What are the Controls ? Layering of Controls Non-I/T • Information handling policies • Physical security surveillance • Badge access • Work area segregation • Background checks • Employee education • Workforce behavior monitoring • Locked cabinets • Vehicle inspections • Confidentiality agreements • Information classification • Workforce offboarding • Clean desk policy • Workforce onboarding & offboarding • Investigative processes • Document & media disposal Preventive Detective • Secured network ports • Information access monitoring • Security incident response • Strong passwords • Elevated access • Computer room security • Intrusion Detection • Firewalls • Encrypted data transfer • Data Loss Prevention (DLP) • Vulnerability scanning • Intrusion Prevention • Asset identification & inventory • Logging • - Capture • - Retention • - Analysis • Network segmentation • Egress traffic • Antivirus • Application whitelisting • I/T access control • - Repository level • - Data level (DRM) • Patching I/T

  19. How do we audit information protection controls ? • “Network Perimeter” audits • Common Network access points • VPN/RAS, Firewalls/Proxy Servers, Circuits, Modems, Physical Controls • “Intellectual Property” specific audits • Where the data lives (ex: Crown Jewels) • Site, Application, Project specific or Hybrid • “Cyber Security” audits • Organization’s ability to “sense and respond” to changing threat landscape • Governance and Control assessments • “Integrated” audits (strategy going forward)

  20. “Network Perimeter” Audit Non-I/T • Information handling policies • Physical security surveillance • Badge access • Work area segregation • Background checks • Employee education • Workforce behavior monitoring • Locked cabinets • Vehicle inspections • Confidentiality agreements • Information classification • Workforce offboarding • Clean desk policy • Workforce onboarding & offboarding • Investigative processes • Document & media disposal Preventive Detective • Secured network ports • Information access monitoring • Security incident response • Strong passwords • Elevated access • Computer room security • Intrusion Detection • Firewalls • Encrypted data transfer • Data Loss Prevention (DLP) • Vulnerability scanning • Intrusion Prevention • Asset identification & inventory • Logging • - Capture • - Retention • - Analysis • Network segmentation • Egress traffic • Antivirus • Application whitelisting • I/T access control • - Repository level • - Data level (DRM) • Patching I/T

  21. “Intellectual Property” Audit Non-I/T • Information handling policies • Physical security surveillance • Badge access • Work area segregation • Background checks • Employee education • Workforce behavior monitoring • Locked cabinets • Vehicle inspections • Confidentiality agreements • Information classification • Workforce offboarding • Clean desk policy • Workforce onboarding & offboarding • Investigative processes • Document & media disposal Preventive Detective • Information access monitoring • Security incident response • Secured network ports • Strong passwords • Elevated access • Computer room security • Intrusion Detection • Firewalls • Encrypted data transfer • Data Loss Prevention (DLP) • Vulnerability scanning • Intrusion Prevention • Asset identification & inventory • Logging • - Capture • - Retention • - Analysis • Network segmentation • Egress traffic • Antivirus • Application whitelisting • I/T access control • - Repository level • - Data level (DRM) • Patching I/T

  22. “Intellectual Property” Audit - Learnings • Much more than “just” I/T controls • “Sense and respond” approach (peripheral vision) • Consider effectiveness of controls as a whole • Layering of controls • Audit judgment required • Position to avoid pre-audit window dressing • Finding broader issues

  23. “Cyber Security” Audit Non-I/T • Information handling policies • Physical security surveillance • Badge access • Work area segregation • Background checks • Employee education • Workforce behavior monitoring • Locked cabinets • Vehicle inspections • Confidentiality agreements • Information classification • Workforce offboarding • Clean desk policy • Workforce onboarding & offboarding • Investigative processes • Document & media disposal Preventive Detective • Secured network ports • Information access monitoring • Security incident response • Strong passwords • Elevated access • Computer room security • Intrusion Detection • Firewalls • Encrypted data transfer • Data Loss Prevention (DLP) • Vulnerability scanning • Intrusion Prevention • Asset identification & inventory • Logging • - Capture • - Retention • - Analysis • Network segmentation • Egress traffic • Antivirus • Application whitelisting • I/T access control • - Repository level • - Data level (DRM) • Patching I/T

  24. External Threat – Cyber Security • It use to be that each company was it’s own little cyber kingdom and physical access was the king of control for external threats • Thanks to the internet - everything touches everything so vulnerabilities have increased • The number, ability and motives of external threats are also increasing • Updated External Threat audit programs two years ago

  25. External Threat – Cyber Security • While press releases of APT compromises were out there little else was available on “APT what and how” • Lacked expertise / experience to understand threat termed APT (Advanced Persistent Threat) • Researched several firms specializing in APT • The project looked at the threat, it’s motives, processes used to compromise a target and the controls required to slow down, detect and eradicate it.

  26. External Threat – Cyber Security • The APT is real and has more time and money to get at your IP than you have time and money to secure it. • It is a paradigm shift from a controls perspective. The logic is “They will get to your data”…. • Preventive controls are there to slow them down so detective controls have time to identify the breach. • Proper response is required to assure you get all of the comprise before they know you’re on to them. • To date espionage has been the primary objective

  27. External Threat – Cyber Security Results - Two high level audit programs and insight into the new breed of Cyber Threat Governance • Organization & strategy • Key Relationships • Training and Awareness • Establishing the bar; COSO observations Control Assessment • Preventive • Detective • Response

  28. Agenda • About Dow • What is IP and why do we care? • What’s the risk? • What are the key controls? • How do we audit information protection controls? • Questions & Answers

More Related