Post on 31-Mar-2021
transcript
1
Information Asset Protection CouncilASISINTERNATIONAL
Market Entry Planning for
Information Asset Protection
in a Global Economy
Sponsored by the ASIS International
Information Asset Protection Council
September 24, 2007
Presented by:Richard J. Heffernan, CPP, CISMMichael D. MoberlyKevin E. Peterson, CPP
Information Asset Protection CouncilASISINTERNATIONAL
What we will discuss today . . .What we will discuss today . . .
� Why do we need “New Directions?”
� What are those “New Directions?”
� What resources are available?
� A quick look at the Global Economy of the 21st Century
� Two key elements:
� Market Entry Planning in today’s Global Environment
� Risk Assessment and Due Diligence
2
Information Asset Protection CouncilASISINTERNATIONAL
“We need to transition from a Cold War era ‘Information Security’approach to a point where comprehensive ‘Information Asset Protection’ strategies are seamlessly integrated into the Enterprise Security Risk Management process.”
Kevin E. Peterson, CPPVice Chair, ASIS Information
Asset Protection Council
Information Asset Protection CouncilASISINTERNATIONAL
Why do we need a new approach to IAP ?Why do we need a new approach to IAP ?
A new global business environment
Multiple asymmetric and
tough-to-define threats
Pace and intensity of business transactions
Regulatory Requirements
3
Information Asset Protection CouncilASISINTERNATIONAL
Why do we need a new approach to IAP ?Why do we need a new approach to IAP ?
�� 75% of value, sources of revenue, and wealth 75% of value, sources of revenue, and wealth creation lie in information assets (IP, intangible creation lie in information assets (IP, intangible assets, competitive advantage)assets, competitive advantage)
�� Relying solely on checklists leads to complacency Relying solely on checklists leads to complacency and tunnel vision and tunnel vision –– not “true” risk managementnot “true” risk management
�� Asymmetric Asymmetric andand continuous threats aboundcontinuous threats abound
�� We need to avoid the “herd mentality”We need to avoid the “herd mentality”
�� Today’s environment mandates a “big picture” Today’s environment mandates a “big picture” (comprehensive) approach(comprehensive) approach
Information Asset Protection CouncilASISINTERNATIONAL
A New Comprehensive ApproachA New Comprehensive Approach
Traditional Security
Due Diligence
Risk Assessment
Product SecurityI P Protection
Market Entry Planning
and Monitoring
Regulatory Compliance
Counter Competitive Intelligence
Export Control
Enterprise Risk Management
Liability Management
4
Information Asset Protection CouncilASISINTERNATIONAL
Resources Available Through ASIS . . .Resources Available Through ASIS . . .
Trends in Proprietary Information Loss Survey
Information Protection Toolkit
Protection of Assets Manual
Visit our Council Web Site at www.asisonline.org/councils/SPI.xml
Information Asset Protection CouncilASISINTERNATIONAL
Today’s GlobalToday’s GlobalBusinessBusiness
EnvironmentEnvironment
. . . Risks are Dynamic and Must Be Closely Monitored
. . . Interdependencies are constantly growing in complexity
. . . Cultural factors play an important role
. . . Threats are less well-defined
5
Information Asset Protection CouncilASISINTERNATIONAL
Some Circumstances that are bringing new challenges to information assets protection . . .
1. Data mining
- Ideas and innovation targeted at earliest stages of development
2. Insiders
- Elevated sense of ‘global community’ leads to rationalization
- Recognizing asset value + receptive buyers + ready markets
3. Country GDP’s - Increasingly reliant on infringement - counterfeiting as income sources
4. Legacy free adversaries
- Absent conventional notion of property rights
Left unchecked, probabilities become inevitabilitie s…
New Threats New RisksNew Threats New Risks
Information Asset Protection CouncilASISINTERNATIONAL
Where are we heading?Where are we heading?
A A newnew approachapproach for conducting risk assessments and for conducting risk assessments and
due diligence for information assets…due diligence for information assets…
-- Know your economic adversaries and Know your economic adversaries and
competitorscompetitors
-- Risk Assessments/Due Diligence MUST be Risk Assessments/Due Diligence MUST be
much more than “much more than “snapsnap--shotsshots--inin--time”time”
-- Market entry planning must also includeMarket entry planning must also include
asset monitoringasset monitoring
6
Information Asset Protection CouncilASISINTERNATIONAL
Managing Risk To Information AssetsManaging Risk To Information Assets
It is often said in the business world that “you can’t manage it if you can’t measure it.”
� Risk assessments should identify, quantify & prioritize risks against the organizations goals & criteria for risk acceptance.
� The results of an assessment should help in selection and prioritization of management actions for managing identified risks & implementation of appropriate options to address those risks.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
Information Asset Protection CouncilASISINTERNATIONAL
Identifying Business Objectives And Identifying Business Objectives And
Potential Risks To Achieving Those ObjectivesPotential Risks To Achieving Those Objectives 11
� Identify information asset protection related risks Identify information asset protection related risks
thru thru Risk Assessments, , Due diligenceDue diligence & & Market Entry Market Entry
Planning and MonitoringPlanning and Monitoring. .
�� Calculate the likelihood of occurrence & impact.Calculate the likelihood of occurrence & impact.
�� Plot the risks on risk graph to help identify the most Plot the risks on risk graph to help identify the most
critical risks.critical risks.
�� Calculate the financial impact of the most critical Calculate the financial impact of the most critical
risks and the cost /benefit risk/ reward of the risks and the cost /benefit risk/ reward of the
available options for addressing the risks. available options for addressing the risks.
�� Create a process for Create a process for ongoing monitoring of risks.ongoing monitoring of risks.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
7
Information Asset Protection CouncilASISINTERNATIONAL
Market Entry Planning & MonitoringMarket Entry Planning & Monitoring
Market Entry PlanningMarket Entry Planning should include:should include:
�� Identify and assign value to any IPR’S and proprietary Identify and assign value to any IPR’S and proprietary competitive advantages that are part of any transaction. competitive advantages that are part of any transaction.
�� I.D. & assess issues related to existing/potential competitors.I.D. & assess issues related to existing/potential competitors.�� Perform a Perform a Due DiligenceDue Diligence of any potential partnersof any potential partners�� Review all markets well prior to entry for existing Review all markets well prior to entry for existing
infringements of I.P. Rights of yours or similar products.infringements of I.P. Rights of yours or similar products.�� Review IPR registration requirements in each market.Review IPR registration requirements in each market.�� Assess the ability of each jurisdiction’s IP laws to support Assess the ability of each jurisdiction’s IP laws to support
continued use, ownership and control of your organizations continued use, ownership and control of your organizations IPR & proprietary competitive advantages during and after any IPR & proprietary competitive advantages during and after any business deal. business deal.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
Information Asset Protection CouncilASISINTERNATIONAL
Market Entry Planning & MonitoringMarket Entry Planning & Monitoring 11
Market MonitoringMarket Monitoring should include:should include:
�� Set up a monitoring/sampling program of both Internet and Set up a monitoring/sampling program of both Internet and
brick & mortar sites to detect & evaluate IPR ( Intellectual brick & mortar sites to detect & evaluate IPR ( Intellectual
Property Rights) infringement and competing products.Property Rights) infringement and competing products.
�� Identify specific issues that may erode the value of or Identify specific issues that may erode the value of or
effect the use, ownership or control of your IPR and effect the use, ownership or control of your IPR and
proprietary competitive advantagesproprietary competitive advantages
�� Monitor and gather intelligence on existing & potential Monitor and gather intelligence on existing & potential
competitors actions that may effect your IPR’s & competitors actions that may effect your IPR’s &
proprietary competitive advantages.proprietary competitive advantages.
�� Monitor IPR registration activity.Monitor IPR registration activity.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
8
Information Asset Protection CouncilASISINTERNATIONAL
Potential partner ties to any foreign governmentsPotential partner ties to any foreign governments
Potential partner links to other firms, with IPR violations, traPotential partner links to other firms, with IPR violations, trade de
complaints or export control issuescomplaints or export control issues
Reputation of the potential partner in IPR issues including;Reputation of the potential partner in IPR issues including;••IPR violations, infringements of patents, trademarks & copy righIPR violations, infringements of patents, trademarks & copy rights ts ••Trade complaints Trade complaints ••Export control issuesExport control issues••Track record of involvement in targeting of proprietary or tradeTrack record of involvement in targeting of proprietary or trade
secret information through open, illegal or unethical means. secret information through open, illegal or unethical means. ••Civil or criminal court records to the extent allowed by law.Civil or criminal court records to the extent allowed by law.
••Financial metrics and performance of the potential partnerFinancial metrics and performance of the potential partner--••Identify ownership of organization and the citizenship status oIdentify ownership of organization and the citizenship status of all f all
ownersowners••Identify other business assets and business interests of ownersIdentify other business assets and business interests of owners••Previous employment of ownersPrevious employment of owners
Due Diligence Process ElementsDue Diligence Process Elements……* Adapted from the ASIS 2006 Trends Proprietary Information Loss* Adapted from the ASIS 2006 Trends Proprietary Information Loss SurveySurvey
Information Asset Protection CouncilASISINTERNATIONAL
� Identify Management Objectives
� Event/ Risk Identification
� Risk Assessment
� Risk Response
� Control Activities
� Communications
� Monitoring
Risk Management FrameworkRisk Management Framework 11
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
9
Information Asset Protection CouncilASISINTERNATIONAL
Risk Management FrameworkRisk Management Framework 11
� Identify Management Objectives -Interview or survey division & business unit management & staff to identify information assets,
business objectives, financial goals & risk appetite.
� Event/ Risk Identification -Identify internal and external events or risks with the potential to affect achievement of business objectives.
� Risk Assessment - Risks (taking into account both threats & vulnerabilities) are analyzed considering likelihood and impact as a basis for determining how they should be managed.
� Risk Response - Management selects responses- avoiding, accepting, reducing or sharing risk- developing a set of actions to align risks with the entity’s risk tolerance.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
Information Asset Protection CouncilASISINTERNATIONAL
Risk Management FrameworkRisk Management Framework 11- continued
� Control Activities- Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
� Communications – Relevant information is communicated across the entity in a form and timeframe that enables people to carry out their responsibilities.
� Monitoring –Risks and risk responses to IP rights and proprietary competitive advantages are monitored and adjustment are made as necessary
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
10
Information Asset Protection CouncilASISINTERNATIONAL
Competition for orphan drug status, intense competitive Competition for orphan drug status, intense competitive intelligence targeting has been identified related to intelligence targeting has been identified related to competitive issues re: efficacy and adverse reactions vs. competitive issues re: efficacy and adverse reactions vs. competing product offcompeting product off--site scientific meetings and FDA site scientific meetings and FDA
Panel meeting rehearsals may be targeted.Panel meeting rehearsals may be targeted.Information security practices of partner may not support Information security practices of partner may not support company programcompany program
Product CProduct CcompletingcompletingPhase 3 Clinical Phase 3 Clinical TrialsTrials-- Preparing for Preparing for
FDA Panel hearingFDA Panel hearing
Specifics of 2nd generation of product in R&D needs Specifics of 2nd generation of product in R&D needs protection over extended time period and may be protection over extended time period and may be targeted by competitive intelligence gathering attempts targeted by competitive intelligence gathering attempts
at business & scientific offat business & scientific off--site meetings.site meetings.
Product BProduct BCurrent MKT XX Current MKT XX 75% US 25% Int.75% US 25% Int.
MKT Potential XX in MKT Potential XX in 20XX20XX
Press release withoutPress release without P.R. and security input contains P.R. and security input contains
information that has the potential to cause increased risk information that has the potential to cause increased risk of kidnapping at international sales office or product of kidnapping at international sales office or product theft at distribution warehousetheft at distribution warehouse
Product AProduct A
Current MKT XX Current MKT XX 60% US 40% Int.60% US 40% Int.MKT Potential XX in MKT Potential XX in 20XX20XX
Risks Identified through Risks Identified through
interviews, assessments, dueinterviews, assessments, due--diligence & monitoringdiligence & monitoring 11
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
Information Asset Protection CouncilASISINTERNATIONAL
Competitors targeting process technology Competitors targeting process technology
Mfg. Capacity information targetedMfg. Capacity information targetedCompetition recruiting process engineersCompetition recruiting process engineers
Project 2Project 2
Improvement in mfg. Improvement in mfg. yield for yield for ““DD”” 20XX20XX
New location in university research center may be New location in university research center may be
targeted by special interest groupstargeted by special interest groupsInformation security issues caused by shared space in Information security issues caused by shared space in research parkresearch parkRequirement to work with H.R. to limit identification of Requirement to work with H.R. to limit identification of
sensitive new product info in adsensitive new product info in ad’’s and interviews.s and interviews.
Project 1Project 1
New R & D Facility In New R & D Facility In planningplanning
Risk assessment has identified: The need for IPR due Risk assessment has identified: The need for IPR due
diligence of potential distributors and market diligence of potential distributors and market monitoring.monitoring.The potential for problems due to price differential. The potential for problems due to price differential. Internet sources offering product below U.S. prices.Internet sources offering product below U.S. prices.Individual serialization needed to help ID legitimate Individual serialization needed to help ID legitimate
product & allow track and trace of suspect products.product & allow track and trace of suspect products.
Product DProduct D
Acquired through Acquired through mergermergerMKT Potential X in MKT Potential X in 20XX20XX
Risks Identified throughRisks Identified through
interviews, assessments, dueinterviews, assessments, due--diligence & monitoringdiligence & monitoring 11
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
11
Information Asset Protection CouncilASISINTERNATIONAL
M M
* Note Impact * Note Impact increasingincreasing
HH
HH
LL
HH
Impact Of Impact Of Incident Incident OccurringOccurring
MMLLInformation security practices Information security practices of partnerof partner
DD
MH MH
* * ranking subject ranking subject
to changeto change
H H
* Note occurrence * Note occurrence increasingincreasing
Price differential between Price differential between countries will result in cross countries will result in cross border trade resulting in lost border trade resulting in lost income.income.
EE
MM--HHMMTargeting of offsite meeting re: Targeting of offsite meeting re: product Cproduct C
CC
LLLLPress Release without security Press Release without security or P.R. input will cause serious or P.R. input will cause serious security issuesecurity issue
BB
HHHHIdentification of specifics of Identification of specifics of second generation of Product Bsecond generation of Product B
AA
Risk Risk RankingRankingScoreScore
Likelihood Likelihood Of Of
OccurrenceOccurrence
Representative sample of Representative sample of identified events/ risks identified events/ risks
Risk orRisk orEventEvent
IdentifierIdentifier
Ranking Risks Based on Business Impact and Likelihood of Ranking Risks Based on Business Impact and Likelihood of
OccurrenceOccurrence 1
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
Information Asset Protection CouncilASISINTERNATIONAL
HH
MM
HH
HH
MM
Impact Of Impact Of Incident Incident OccurringOccurring
LL--MMLLTargeting of Manufacturing Targeting of Manufacturing
CapacityCapacityII
HHHHTargeting of process technologyTargeting of process technologyJJ
HHHHIPR due diligence of potential IPR due diligence of potential
partners / distributors needed partners / distributors needed
for high risk areas or productsfor high risk areas or products
HH
HHHHNeed for individual serialization Need for individual serialization
of products to aid in track & of products to aid in track &
trace & identification of diverted trace & identification of diverted
or suspected counterfeit or suspected counterfeit
productsproducts
GG
MM--HHHHInternet sources offering product Internet sources offering product
prices less than U. S. priceprices less than U. S. priceFF
Risk Risk RankingRankingScoreScore
Likelihood Likelihood Of Of
OccurrenceOccurrence
Representative sample of Representative sample of identified events/ risks identified events/ risks
Risk orRisk orEventEvent
IdentifierIdentifier
Ranking Risks Based on Business Impact and Likelihood of OccurreRanking Risks Based on Business Impact and Likelihood of Occurrencence11
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
12
Information Asset Protection CouncilASISINTERNATIONAL
Low Impact Medium Impact High Impact
Low ------Likelihood of occurrence---High
Using risk ranking to identify Using risk ranking to identify
the most critical risksthe most critical risks
Information Asset Protection CouncilASISINTERNATIONAL
Prioritizing Critical Risk/Reporting to ManagementPrioritizing Critical Risk/Reporting to Management 11
The risk assessment process may produce a long list of identified risks that need to be prioritized. Issues to be considered include:
� The financial impact of loss should be calculated for the most critical risks.
� A cost/benefit – risk/return analysis of management options for addressing the most critical risks should be performed.
� Significant changes in risk or asset value due to loss should bereported to an appropriate level of management on a event driven or periodic basis.
� Risks to proprietary competitive advantages and I. P. rights need to be monitored.
1 White paper- Developing IAP Risk Management Strategies for Global Organizations 2007, Richard J. Heffernan, CPP, CISM
13
Information Asset Protection CouncilASISINTERNATIONAL
Risk Response OptionsRisk Response Options **
Management selects risk response options in developing a set of actions to align risks with the organization’s risk tolerance and risk appetite.
� Risk Reduction - Employing security and other measures to mitigate threats, reduce vulnerabilities or lessen the impact ofan undesirable event.
�� Risk TransferRisk Transfer -- A standard management process whereby A standard management process whereby some or all of the risk is assigned to others (such as an some or all of the risk is assigned to others (such as an insurance carrier, supplier or vendor). insurance carrier, supplier or vendor).
�� Risk SpreadingRisk Spreading -- The practice of dispersing assets The practice of dispersing assets geographically or otherwise so as to limit the consequences geographically or otherwise so as to limit the consequences of an attack or undesirable event in any one location.of an attack or undesirable event in any one location.
�� Risk AvoidanceRisk Avoidance –– Avoiding risk by not allowing actions that Avoiding risk by not allowing actions that would cause a risk to occur (this may, however, limit the would cause a risk to occur (this may, however, limit the organization’s ability to perform its mission).organization’s ability to perform its mission).
�� Risk AcceptanceRisk Acceptance -- Recognizing and accepting a certain degree Recognizing and accepting a certain degree of residual risk (sometimes expressed as a dollar value) of residual risk (sometimes expressed as a dollar value) according to some preaccording to some pre--set criteria or threshold. set criteria or threshold.
* Source ASIS Information Asset Protection Guideline & ASIS POA * Source ASIS Information Asset Protection Guideline & ASIS POA Manual 2007Manual 2007
Information Asset Protection CouncilASISINTERNATIONAL
Risk response considerations when choosing Risk response considerations when choosing
options to address identified risksoptions to address identified risks**
The choice of options as well as the specific security conThe choice of options as well as the specific security controls trols employed to reduce risk should be based on management employed to reduce risk should be based on management issues such as:issues such as:
•• Goals and objectives of the organizationGoals and objectives of the organization
•• Operational requirements and constraints Operational requirements and constraints
•• Contractual requirements, obligations and constraintsContractual requirements, obligations and constraints
•• Applicable local, national and international laws and Applicable local, national and international laws and regulationsregulations
•• Unique regional or cultural issuesUnique regional or cultural issues
•• Cost of risk reduction in relation to risk reduction Cost of risk reduction in relation to risk reduction benefit benefit
•• Cost of risk reduction in relation to other Cost of risk reduction in relation to other organizational funding issuesorganizational funding issues
* Source ASIS Information Asset Protection Guideline & ASIS POA * Source ASIS Information Asset Protection Guideline & ASIS POA Manual 2007Manual 2007
14
Information Asset Protection CouncilASISINTERNATIONAL
The Bottom Line . . .The Bottom Line . . .
“Assessing and addressing risks enables business.Security’s role is to help organizations assess and address risk to enable business transactions.” *
* Richard J. Heffernan, CPP, CISM