Richard J Heffernan, CEO of RJ Heffernan Associates, answers readers' questions about securing information in transit.
Q: What is involved in transporting intellectual property (IP) from one corporate site to another?
A: The security practices required in each situation are dictated in part by the business you are in and the risks you face. Planning for the security of information, especially at offsite meetings and conferences, starts with understanding the value and sensitivity of the information. Perform a risk assessment of each situation that involves oral, written and electronic information. That risk assessment will help ensure that risk identification, evaluation and mitigation activities, including the selection of reasonable and prudent security controls, are integrated into the business process. ISO 17799 is the basis for many security controls and may be used as the core program, but you must assign responsibility to monitor potential changes in contractual obligations, regulations and laws such as the Sarbanes-Oxley Act.
Q: When transporting IP, do people generally take the proper precautions?
A: Most people take proper precautions only if they are required to or if compliance is audited. The most common mistake is not involving experienced security personnel in the initial planning of the offsite meeting, conference or corporate move. Early involvement allows a security practitioner, who is experienced in performing risk assessments, to educate and advise planners as to issues that may put sensitive information at risk. A CSO can then advise alternative ways to avoid or mitigate the potential of exposing sensitive information to loss. Another common mistake or oversight is to not adequately educate all contractors, subcontractors, vendors and suppliers so that their actions do not put information at risk of exposure to unauthorized individuals or a potential loss of trade secret status because of claims of inadequate security.
Q: In certain cases, is it better to follow the adage "security by obscurity"? Meaning, if you don't call attention to it, you get lost in the noise.
A: It is almost always advisable to maintain a low profile for both personnel and sensitive information. One way is to ensure that your outsourced printer does not attach a sample copy of sensitive printed material to the outside of the boxes shipped to your event. Many organisations forgo being listed on the electronic and printed event listings of the hotels hosting conventions. Since IP now constitutes a large majority of the value of most corporations, you would have a hard time justifying a policy to external auditors that relies on hiding in plain sight.
Q: How elaborate do your security plans get?
A: A recent example of security for an offsite meeting included the usual preliminary planning as well as awareness briefings hosted by the business unit manager prior to leaving for the event. Upon arrival at the meeting site, each attendee received instructions drafted by the security department and signed by the event host. These instructions mandated that attendees bring all sensitive information as well as their laptops to be secured in a support centre with 24-hour security. Company security personnel using unmarked vans transported sensitive printed materials as well as printers, fax machines and computer networking equipment directly from the company to the support centre. Company security and IT staffers set up secured Internet and telephone connectivity instead of allowing company employees to work in their rooms. Company personnel could use meeting rooms, which had been pre-inspected, as an alternate to gathering in an unsecured public area. The object was to avoid creating situations where sensitive information might be at risk.
Q. How much time do you spend planning versus executing?
A: An ever-increasing percentage of time is spent establishing and continuing a dialogue with senior and business unit management to identify business goals, objectives and time lines. Planning for the protection of sensitive business and scientific information during corporate moves, at both onsite and offsite meetings as well as information shared externally with partners, vendors and customers, is an important part of developing a security management strategy. A continuous dialogue will help forge the understanding of corporate goals and the development of a security management strategy that supports business goals.