Intellectual Property Management System
A Project Report
Presented to
The Faculty of the College of Engineering
San Jose State University
In Partial Fulfilment
of the requirements for the degree
Masters of Science in Engineering
By
Shanmugam Parasuraman Divya Kempaiah
April 2009
©2009
Shanmugam Parasuraman Divya Kempaiah
ALL RIGHTS RESERVED
APPROVED FOR THE DEPARTMENT OF GENERAL ENGINEERING _________________________________________________________ Dr. Leonard Wesley
Program Advisor,
Professor, Department of Computer Engineering
_________________________________________________________ Mr. Debnath Saradindu
Industrial Sponsor, KLA-Tencor
_________________________________________________________ Dr. Oliver Yu
Academic Advisor, College of Business
San Jose State University
ABSTRACT
Intellectual Property Management System (IPMS) is a customized framework security
model, which takes relevant portions of all three security models (Bella-Lapadula, Biba,
and Clark Wilson) guidelines combined with third party data loss prevention tools to
protect Intellectual property of Global Wafers Corporation (GWC). In addition sets rules
and definition for IT security guidelines to safeguard IP from disclosure, theft, abuse and
destruction
Intellectual Property Management System (IPMS) identifies the intellectual property of
Global Wafers Corporation (GWC) and evaluates the current security mechanisms used
by GWC and refines those procedures/policies/guidelines to protect Intellectual Property
and uses data loss prevention tools to discover and capture sensitive data and wrap all the
necessary security controls needed by semiconductor industry to protect its intellectual
property. IPMS system provides a concrete list of requirements that can be used by IT
and management team of the company to understand their security implementation and
justify the security expenditures to decision makers.
ACKNOWLEDGEMENT
We are greatly indebted to Professor Dr. Oliver Yu for his patience, invaluable time and
assistance throughout our Masters program. We are thankful to Professor Kehoe Ray for
his advice, support, and motivation for initial ground up of this project.
We are grateful to our industry sponsor Mr. Debnath Saradindu, Senior Manager, KLA-
Tencor for providing the opportunity to pursue graduate studies while working. We are
also thankful to our friends Mr. Rakesh Kumar, Senior Information Analyst, KLA-
Tencor and Mr. Subramanian Chalamcharla, Sr. Engineer, HCL America for helping us
in reviewing the project design.
We would like to thank Dr. Leonard Wesley, Associate Professor, Department of
Computer Engineering, San Jose State University for his suggestions and guidance
throughout our course for SPRING 2009 Semester.
We would like to thank to our family members who gave us encouragement and support.
Table of Contents 1 Introduction........................................................................................................... 8
1.1 Company Profile .................................................................................................. 8 1.2 Project scope ........................................................................................................ 8
2 Project Description ............................................................................................... 9 2.1 Importance of IPMS........................................................................................... 10
3 Literature Review ............................................................................................... 11 3.1 Security Models and Policy .............................................................................. 11
3.1.1 Bell La-Padula security Model.................................................................. 12 3.1.2 Biba security Model.................................................................................... 13 3.1.3 Clark Wilson Security model...................................................................... 13
3.2 IPMS Security Framework Model.................................................................... 14 4 IPMS Security specification............................................................................... 15
4.1 Defining security controls ................................................................................. 15 4.2 Security Policy of IPMS ................................................................................... 15
4.2.1 System Specific Security Policy................................................................ 16 4.2.2 Issue Specific Security Policy..................................................................... 21
4.3 IPMS Security Procedure.................................................................................. 22 4.4 IPMS Security Plan ........................................................................................... 22 4.5 IPMS Priorities .................................................................................................. 23 4.6 IPMS Security Roles and Responsibilities....................................................... 24 4.7 IPMS Enforced controls list.............................................................................. 25
5 Data Classification .............................................................................................. 26 5.1 GWC existing Data Classification ..................................................................... 27 5.2 IPMS Data Classification ................................................................................... 27
6 IPMS Design and Architecture ........................................................................ 29 6.1 Existing Security/Network Architecture of GWC ........................................... 29 6.2 IPMS Recommended Network Design ............................................................ 31 6.3 Data Loss Prevention tool Integration.............................................................. 32 6.4 Discovering Data at Rest................................................................................... 34
6.4.1 Search by Repository Type......................................................................... 34 6.4.2 Search by the Signature Percentage Match................................................. 35 6.4.3 Search by the File PATH ............................................................................ 36 6.4.4 Search by the File Size................................................................................ 37 6.4.5 Data Capture ............................................................................................... 38
7 Economic Justification ....................................................................................... 38 7.1 Executive Summary ........................................................................................... 38 7.2 Problem Statement ............................................................................................. 40 7.3 Solution & Value proposition ........................................................................... 41 7.4 Market Size........................................................................................................ 43 7.5 Competitors ....................................................................................................... 44 7.6 Customers .......................................................................................................... 44 7.7 Total Cost........................................................................................................... 45
7.7.1 Fixed Cost................................................................................................... 45 7.7.2 Variable Cost.............................................................................................. 47 7.7.3 Maintenance Cost....................................................................................... 47
7.8 Service Price Point ............................................................................................. 48 7.9 SWOT Assessment............................................................................................. 48 7.10 Investment Capital Requirements ................................................................. 49 7.11 Personnel ........................................................................................................ 52 7.12 Business Revenue Model .............................................................................. 53 7.13 Break Even Analysis ..................................................................................... 54 7.14 Return on Investment .................................................................................... 55
8 Risk Management ............................................................................................... 55 8.1 Risk Assessment................................................................................................ 56 8.2 Vulnerability Assessment ................................................................................. 57 8.3 Risk Mitigation Strategy Development ............................................................ 59
9 Project Schedule.................................................................................................. 61 9.1 First Phase.......................................................................................................... 61 9.2 Second Phase ..................................................................................................... 62
10 Conclusion......................................................................................................... 63 11 References ......................................................................................................... 64
List of Figures
FIGURE 1: IMPORTANCE TO IPMS FROM MANAGEMENT PERSPECTIVE ................................... 10 FIGURE 2: BELL LAPADULA MODEL................................................................................................... 12 FIGURE 3: BIBA SECURITY MODEL ..................................................................................................... 13 FIGURE 4: CLARK WILSON SECURITY MODEL................................................................................. 14 FIGURE 5: SECURITY/NETWORK OF GWC.......................................................................................... 29 FIGURE 6: IPMS RECOMMENDED GWC NETWORK DESIGN .......................................................... 31 FIGURE 7: DATA LOSS PREVENTION THIRD PARTY TOOL INTEGRATION IN GWC................. 33 FIGURE 8: SURVEY- ORGANIZATION HAVING CYBER ATTACKS................................................ 41 FIGURE 9: LOSSES DUE TO SECURITY BREACHES IN GWC ........................................................... 43 FIGURE 10: CASH FLOW STATEMENT................................................................................................. 50 FIGURE 11: PROFIT AND LOSS GRAPH................................................................................................ 54 FIGURE 12: BREAK EVEN ANALYSIS GRAPH .................................................................................... 54
List of Tables
TABLE 1: IPMS ROLES AND RESPONSIBILITY MATRIX .................................................................. 24 TABLE 2: SECURITY CONTROL MATRIX ............................................................................................ 26 TABLE 3: FIXED COST ............................................................................................................................. 45 TABLE 4: MANPOWER COST.................................................................................................................. 46 TABLE 5: VARIABLE COSTS................................................................................................................... 47 TABLE 6: MAINTENANCE COST............................................................................................................ 47 TABLE 7: SWOT ANALYSIS FOR IPMS ................................................................................................. 49 TABLE 8: CASH FLOW STATEMENT..................................................................................................... 51 TABLE 9: TEAM ROSTER......................................................................................................................... 52 TABLE 10: BUSINESS REVENUE MODEL............................................................................................. 53 TABLE 11: ROI TABLE ............................................................................................................................. 55 TABLE 12: RISK & VULNERABILITY ASSESSMENT TABLE............................................................ 58 TABLE 13: RISK MITIGATION TABLE .................................................................................................. 60 TABLE 14: FIRST PHASE PROJECT SCHEDULE .................................................................................. 61 TABLE 15: SECOND PHASE PROJECT SCHEDULE ............................................................................. 62
1 Introduction
1.1 Company Profile Global Wafers Corporation provides wafer defect monitoring solutions for semiconductor
industries worldwide. It offers equipment for wafer inspection, defect review, and reticle
defect inspection. GWC’s defect inspection tools helps companies to detect, classify, and
analyze failures caused by contaminants, and identify the electrical issues during the
stages of IC manufacturing processes.
1.2 Project scope
All digital assets of an organization should be protected regardless of how the
information is stored or communicated. They should also continually evolve their
information security processes through historical capture, data mining and analytics.
Proactive steps must be taken to prevent unauthorized disclosure of intellectual property
and reactive steps must be taken to respond to intellectual property theft. Sensitive
Information should be protected as it will compromise the profits for Global Wafers
Corporation. These issues are addressed by the IPMS security plan generator, which is a
proof of concept Framework that compromises of the rules and definition for IT Security
through discovering and documenting the security controls needed for a de-centralized
environment. It probes a lot of questions about the existing security system and generates
a security plan at the end. Government security governance laws coverage is out of scope
of this project.
2 Project Description
Global Wafers Corp., experiences several thousands of network attacks every hour and
from several places in the world. There have been several incidents in GWC where
critical IP was compromised and competitive edge was lost. From these incidents a
necessity was created for an effective Intellectual property protection. This project is
intended to analyze and assess the security processes and the current security model of
Global Wafers Corp., (a semi-conductor based company). It will tighten the existing
security model considering risks, costs and benefits. This document provides a brief
synopsis of the Intellectual Property Management System (IPMS) and the project plan set
by our team, to complete the project successfully. IPMS will provide a cost effective
security solution to aid GWC in becoming the market leader in the semi-conductor
industry by protecting its critical digital assets. Intellectual property management system
will simplify the information flow access and streamline the enterprise processes giving
utmost importance to security. The Framework of IPMS will be provided to Global
Wafer Corporation CIO so that future use of the security methodology will be based on
the IPMS implementation of our proof-of-concept. The security plan provides concrete
list of requirements that can be used to understand security compromises and justify
security expenditures to decision makers.
2.1 Importance of IPMS Legally protected intellectual assets are essential for every business success and GWC
also not exceptional. In order to achieve high growth plans, businesses should have a very
strong Intellectual Property portfolio. Semi-Conductor companies build up their portfolio
by applying for more patents, in addition to their licensing and cross-licensing technology
patents. To maximize the value of the intellectual assets, GWC should analyze and
understand how to support the business strategies, protect current/future product
positions, provide competitive advantage, and add value to their products.
Figure 1: Importance to IPMS from Management perspective
Source: R.G. Cooper, S.J., Edgett, and E.J. Kleinschmidt, “Best Practices for Managing
R&D Portfolios,” Research-Technology Management 41, 4 (1998), pp. 24.
3 Literature Review
The literature search on security models has been done to gain knowledge related to
technical aspect of all the well known security models. The security models described
below, its use to the project, and the reasons why these security model references has
been chosen are presented in this section. The primary background of the contents of
these references is explained in this literature review section.
Articles, journals and internet resources that discuss technical issues and new ways of
implementing security policies, procedures, and guidelines are taken into account for our
project. We took the market research also to be forecasting the future of security. This
literature review is categorized into four parts:
3.1 Security Models and Policy
A security model is symbolic representation of a policy, along with design and analysis
of secure systems. A model also maps policies into set of rules that are followed by the
computer systems. There are three main security principles which shall be followed for
our project:
Confidentiality “Prevention of unauthorized disclosure of data”
Availability “Prevention of loss of access to resources and data”
Integrity “Prevention of unauthorized modification of data”
From our research we have found three security models to be highly useful, we have
studied them in details and shall be developing our security model framework based on
these three models. A brief description about each of these models is given below:
3.1.1 Bell La-Padula security Model
The Bell La- Padula model deals only with confidentiality like security level in a defence
network. The limitations of Bell La–Padula model is that it does not address management
of access control, it does not prevent hidden channels and also it does not address file
sharing used in present modern systems.
Source: http://www.computing.dcu.ie/~davids/courses/CA548/C_I_Policies.pdf
Source: http://www.computing.dcu.ie/~davids/courses/CA548/C_I_Policies.pdf
Figure 2: Bell Lapadula Model
3.1.2 Biba security Model
BIBA security model address data at the integrity level for example accounting
departments in banks. The limitations of this model are that it does not support ‘no write-
up’ i.e. users cannot write to object at a higher integrity level and it does not support ‘no
read down’ i.e., users cannot read objects from a lower integrity level.
Figure 3: Biba Security Model Source: Information Security Management Handbook by Harold F. Tipton, Micki Krause
3.1.3 Clark Wilson Security model
In Clark Wilson’s security model, separation of duties is enforced and auditing is
required. Users cannot access and manipulate objects directly, but must access the data
through a program. It provides another layer of protection between the user and the data
and restricts the type of actions that can take place on that data.
Figure 4: Clark Wilson Security Model
Source: http://www-users.cs.york.ac.uk/~fiona/PUBS/CAiSE04.pdf
3.2 IPMS Security Framework Model IPMS security model framework will address the CIA Triad
Confidentiality
Integrity
Availability
Building a custom model combining Bell-Lapadula, Biba & Clark Wilson models and
identifies the existing processes to comply with the new model and evaluate off-the shelf
third party security products to satisfy GWC’s security requirements.
4 IPMS Security specification
4.1 Defining security controls Maintaining security is not a single process, but it is an evolving continuous process. Our
IPMS security project has the main objective of protecting Intellectual property of GWC,
in accordance with fulfilling the CIA Triad. (Confidentiality, Integrity and Availability of
Data).
Almost 90 percent of all the attacks result from the violation on any of the above three
objectives only. These above levels of the core objectives will vary based on GWC’s
security goals, policies and requirements put forth by IPMS. IPMS will ensure that the
three data elements are protected for protection.
4.2 Security Policy of IPMS IPMS framework security policy is a generic and aimed at a high level to ensure that it is
applies to the entire GW Corporation as a whole. This security policy will be distributed
to only the employees of GW Corporation and not to the outside world. The owner of this
policy will be the IPMS framework, which will be maintained, evaluated and governed
by the IT Security, GW Corporation. This security policy will consider the business
direction, recent security threats, business objectives and regulatory compliance enforced
by the government. This security policy will be reviewed periodically every quarter and
changes will be done to reflect the business requirements.
IPMS Security policy re-defines the existing security goals of GW Corporation. The
policy is a high level document that has the vision of the core objectives of GWC. The
intent of the security policy is to re-define the settings that will provide GWC of the best
optimum security going forward. The security policy has been classified into two
categories called System specific and Issue specific.
System specific policy refers to use of laptop, PDA’s and desktop computer equipment.
This policy approves the list of software and use of all the data in the dataset in GWC.
The list will be prepared and evaluated by IPMS framework but will be maintained by
GWC’s IT Department.
Issue specific policy of IPMS will address specific security issues that are critical to
networks, networks, applications and data security and this has a much bigger plan. This
security policy is maintained by IPMS and it is reviewed periodically. This will include
who will be responsible and which procedures are used to test effectiveness of the IPMS
measures.
4.2.1 System Specific Security Policy IPMS give the set of control measures, which will be enforced by the System specific
policy known as “GWC System Security Standards”. This will be applied for any laptop
or desktop or any other device which connects to GWC network. GWC has implemented
Active directory for Windows/UNIX System using LDAP for user account management
and policy management for its Server Operating system and Application usage. The
System Security standards policy will be applied by the Active Directory system policy
mandated by the IPMS framework model. The list of settings which are applied to this
specific policy is given below:
Host-based firewall Settings:
All the laptops/desktop, which connects to GWC network, should have host based
firewall settings enabled and protected in order to connect to the network. If any of the
devices don’t have these settings turned, it will be strictly prohibited to connect to the
network. The wrong connection will be logged for future security analysis using IPMS.
Patch management:
All the laptops/desktop, which connects to GWC network, should have been patched with
the latest security patches listed by GWC IT department. Automatic security updates
should be tuned on to enable the system to poll out the patches and install it
automatically. If any of the devices don’t have automatic updates turned on or the patch
levels are not in par with the IT department’s list, it will be strictly prohibited to connect
to the network. The connection will also been logged for future security analysis using
IPMS. As a mandatory requirement all systems should be upgraded to at least windows
XP service pack 2.
Unwanted services should be disabled:
All the laptops/desktop, which connects to GWC network, should have unwanted
services to be turned off, which is listed by GWC IT department. The list will be
published and updated every quarter by the IPMS framework model and pushed to the
active directory policies. Automatic security updates should be tuned on to enable the
system to poll out the patches and install it automatically. If any of the devices don’t
have automatic updates turned on or the patch levels are not in par with the IT
department’s list, it will be strictly prohibited to connect to the network. The connection
will also been logged for future security analysis using IPMS.
Local Administrator rights Renamed/Revoked:
All the laptops/desktop, which connects to GWC network, should have renamed
Administrator accounts and all users except IT should not be given administrator
privileges. This should be strictly enforced so that it will prevent users from downloading
unwanted programs, which gives a security threat. If any of the devices has been given
administrative privileges other than IT department’s list, it will be disabled from GWC
network. The connection will also been logged for future security analysis using IPMS.
List of standard Programs:
All the laptops/desktop, which connects to GWC network, should have renamed
Administrator accounts and all users except IT should not be given administrator
privileges. This should be strictly enforced so that it will prevent users from downloading
unwanted programs, which gives a security threat. If any of the devices has been given
administrative privileges other than IT department’s list, it will be disabled from GWC
network. The connection will also been logged for future security analysis using IPMS.
Preventing Printing of confidential documents:
All employees of GWC should have printing restrictions to print GWC’s company
confidential documents. Only selected groups of users should have access to printing any
type of intellectual property documents from GWC. This list is controlled and evaluated
by the IPMS framework and given to the IT department of GWC. All executives will
have their own printer to print confidential documents and totally segregated with other
employees.
Access to USB devices/CDROM:
All employees of GWC should be restricted to use USB devices like flash drives and
external hard drives where data can be copied and taken from network. IPMS will
enforce a policy to restrict and disable the USB ports and CDROM’s to prevent data
movement from the network.
Anti-Virus protection: GWC IT department provides anti-virus software for all the
systems. If it is not a GWC owned system, the network will automatically sense and will
install the anti-virus software before accessing the data inside the network. This will
ensure that the data is not tampered and the integrity of data is good.
Spam-filtering software: GWC IT department provides spam-filtering software installed
as a standard image for all the systems. If it is not a GWC owned system, the network
will automatically sense and will install the spam-filtering software before accessing the
data inside the network. This will ensure that the data is not tampered and the integrity of
data is good.
Passwords: IPMS Framework ensures that the user password is changed every 60 days
and it is strictly enforced by active directory. The employees of GWC cannot have the
last 5 passwords and the password history is also stored in Active directory according to
the IPMS framework.
Physical security: Window locks, doors, and alarms are checked and listed in the
confirming documents by Physical security of GWC. All the computers and laptops
should have a serial number on top of the cover, and it is tracked when it is moved or
misplaced. All laptops will enforce to have a security lock tied to the desk to prevent
theft.
Wireless networking: All GWC wireless networks are tightened with 120 bit strong
encryption enforced by the IPMS framework. All GWC employees can get access to the
network with two factor authentication even if they connect via wireless networks. This
will ensure a high level security and another layer of protection against hackers. These
restrictions will not allow the wireless network to be open to the public who have
wireless access capability to snoop GWC network.
Web browsing: Everyone thinks that having fast Internet access is a great perk, but they
are using it all the time and without much thought to the risks. Through a content filtering
audit (free with Secure Computing), we found that 20 percent of our Web browsing was
unrelated to work. We don’t have a policy on acceptable use, and no one is taking any
security measures.
Encryption/Backups: No data is stored on the local hard disks in the desktops and
laptops. All the data should be stored on the network shares. Even if the desktop or laptop
is stolen, others cannot have access to the data. All Hard drives of desktops and laptops
will be encrypted using the Vendor product, which is integrated with the IPMS
framework model. The network server will contain all employee files along with the
company intellectual property at one place. Backups are taken weekly and kept and copy
of backups is kept offsite through a company called Iron Mountain.
4.2.2 Issue Specific Security Policy
IPMS framework will give the set of control measures, which will be enforced by the
Issue specific policy known as “GWC Operations Security Standards”. This will be
applied for the entire network, applications both inbound and outbound network traffic of
any kind and any protocol type, which connects the GWC Global network. GWC has
implemented the IPMS framework security model along with the vendor product to
maintain the GWC Operations Security Standards for sniffing network traffic
outbound/inbound traffic management for protecting its intellectual property.
IPMS Framework controls compromises of: Administrative, procedural and technical
controls.
The preventive and administrative controls of IPMS will include GW Corporation’s
policies and procedures. These procedures include pre-employment background checks,
strict hiring practices, vacation schedules, employee agreements including the
termination procedures. It also includes labelling sensitive materials, supervision due,
security awareness training to all the employees and sign up procedures.
GWC previously had multiple security policies distributed heterogeneously to various
departments depending upon the requirements of the individual departments. Our IPMS
framework now combines all these security policies into account and links to the main
single security policy based on two clauses (system specific and issue specific).
4.3 IPMS Security Procedure IPMS security procedure provides a step by step documentation of performing important
actions. The procedure is typically used by operational staff to troubleshoot a problem or
to do an operational task without a mistake. It will accommodate all the detail actions that
have to be followed by the operational staff. For example a procedure will be outlined
with detailed steps to setup an email account or a user account in active directory. These
types of procedures are to be followed which is developed by IPMS as this will avoid the
security risks of mishandling account management and email management inside GW
corporation. This is just an example to outline one of the security procedures.
4.4 IPMS Security Plan IPMS security Plan is a document which is maintained and reviewed periodically by IT
security that will underline the development and maintenance of the security policy,
standards, procedures and guidelines. All steps must be clear and concise and should be
reviewed and updated on a frequent basis to ensure they are efficient.
4.5 IPMS Priorities The order of priority from top down approach of Intellectual Property management
system framework is as follows:
Host based/Network based Firewall Protection
Anti-Virus protection
Preventing hackers into GWC’s wireless network
Updating all the systems with the updated security patches, with Automatic
updates turned on.
Security awareness program for employees.
Monitoring all protocols for outbound and inbound traffic using network vendor
devices.
System Theft prevention
Laptop/Desktop Encryption security
Asset inventory tagging.
All servers to be protected and in the secure locked access room.
Security locks for desktop and laptop computers
4.6 IPMS Security Roles and Responsibilities The below table provides the roles and responsibility matrix of IPMS framework model.
Roles and Responsibility Matrix for IPMS Framework Ownership Framework Detailed Description of Roles/Responsibilities
Risk Management Team IPMS
All projects and activities which are associated with risk to the business. Few departments include development, finance, Manufacturing, and IT support. This role is supported by the Top management like the chief security officer to take final decisions. This Role serves as the top escalation point to define risk to the business.
Information Security Team IPMS
This team is responsible for all the systems (desktops/servers/laptops/pda's/other devices) assets to GW Corporation. This team is accountable for lost/stolen assets and letting GW corporation impact on these assets.
GWC Stake Holders
GWC stake holders are accountable for defining the acceptable risk levels for the business.
Information Technology Team IPMS
This team in GWC will own the highest risk process, like Assessing Risk and Measuring the effectiveness of the Program in every phase of the IPMS framework. It also defines the security requirements and IT control measures undertaken for the effectiveness of the IPMS Framework model.
Architecture IPMS This team role includes Information Technology architecture along with engineering and operations.
Risk Assessment Team IPMS
This team is responsible for the overall risk management program driven by IPMS. This role is also responsible for the Assessing the Risk phase and prioritizing all the risks to GW corporation.
Security Manager IPMS
This is a lead role, which heads the Security Risk Management Team in the right direction by gathering valuable data.
Security Engineer IPMS
Monitors all the suspicious activities in the Network and gathers data for analyzing.
Vendor Support IPMS
This team is responsible for implementing the network monitoring device and supports the business going forward with their future requirements. This role interacts with IT, security, architecture and the risk management teams.
Systems Administrator IPMS
Team which follows the IPMS framework security policies conducts security awareness programs and follows the proper guidelines to mitigate risks.
Table 1: IPMS Roles and Responsibility Matrix
4.7 IPMS Enforced controls list IPMS Framework takes best security practices for Control Matrix and lists below:
Security control Matrix for IPMS Framework Type of Control Preventive Detective Corrective Deterrent
Controls used for avoiding events from taking place
Controls used for identify undesirable events that have occurred
Controls used for correcting undesirable events that have occurred
Controls used for restoring resources and capabilities
Physical Locks X X Fences X X Security Guard X X Mantrap Doors X X Lighting X Biometric System X X Motion Detectors X Alarms X X Backups X X CCTV X X Administrative X Monitoring X X Security Policy X Separation of Duties X X Job Rotation X X Data Classification X Security Procedures X Security Awareness Training X X X Technical X Routers X
Firewalls X X X X IDS X X Encryption X X Anti-virus X X X Smart Cards X Alerts X Audit Logs X
Table 2: Security Control Matrix
All these controls are categorized into High, Medium and Low based on the priority of
systems and tasks. Controls can be also mandated based of platform types, i.e. - based on
whether a system is a Database Server, Web Server or a portable device, it might have to
implement different security controls specific to each platform category.
5 Data Classification
Data is the most important critical asset of GWC. All employees have the responsibility
to protect the confidentiality, integrity, and availability of data generated, accessed,
modified, transmitted, stored or used by the Company, particularly in the electronic
medium for our Intellectual property protection plan. Departments are responsible for
implementing appropriate managerial, operational, physical, and technical controls for
access to, use of, transmission of, and disposal of GWC data in compliance with the
policy.
5.1 GWC existing Data Classification Data owned, used, created or maintained by GWC is classified into the following three
categories:
Non-Essential
Essential &
Confidential
5.2 IPMS Data Classification Windows CIFS Shares (DATA at Motion) These are examples of the following Sample Windows CIFS shares, which are to be
captured for monitoring to analyze data in motion.
Share Name
Primary Contact
Data in Motion
Secure1 Mr. ABC1 Sensitive information Secure1 Mr. ABC1 Confidential information Secure2 Mr. ABC1 Non-essential information for testing Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information
Windows CIFS Shares (DATA at Rest) These are examples of the following Windows CIFS shares, which are to be captured for
monitoring to analyze data at rest.
Share Name
Primary Contact
Data in Rest
Secure1 Mr. ABC1 Sensitive information Secure1 Mr. ABC1 Confidential information Secure2 Mr. ABC1 Non-essential information for testing Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information
UNIX NFS Shares (DATA at Motion) These are examples of the following UNIX NFS shares, which are to be captured for
monitoring to analyze data in motion.
Share Name
Primary Contact
Data in Motion
Secure1 Mr. ABC1 Sensitive information Secure1 Mr. ABC1 Confidential information Secure2 Mr. ABC1 Non-essential information for testing Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information Secure1 Mr. ABC1 Confidential information
UNIX NFS Shares (DATA at Rest) These are examples of the following Windows CIFS shares, which are to be
captured for monitoring to analyze data.
Share Name
Primary Contact
Data in Rest
Secure1 Mr. ABC1 Sensitive information Secure1 Mr. ABC1 Confidential information Secure2 Mr. ABC1 Non-essential information for testing Secure1 Mr. ABC1 Confidential information
6 IPMS Design and Architecture
6.1 Existing Security/Network Architecture of GWC
MO DE
STACKSPEEDDUPLXSTATM ASTRRPSSYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750 SERIES
1 2
MO DE
STACKSPEEDDUPLXSTATM ASTRRPSSYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catalyst 3750 SERIES
1 2
MO
DE
STA
CK
SPEED
DU
PLX
STA
TM
AS
TRR
PS
SY
ST
12
34
56
78
910
11
12
1X
2X
11X
12X
13
14
15
16
17
18
19
20
21
22
23
24
13X
14X
23X
24X
Cat
alys
t 37
50S
ER
IES
12
Figure 5: Security/Network of GWC
Under the Current Security/Network Model, which is shown above of Global Wafers
Corporation, none of the communication protocols are monitored in the company. This
paves way for workers, hackers and malicious programs to gain access to sensitive
Intellectual property information from the company. It does not have the necessary tools
or the processes to monitor protocols like the basic protocols like File Transfer Protocol,
Simple Management Network Protocol, HTTP and Instant messenger chats and source
code control protocols. Without the block or monitoring the protocols the information is a
free flow for the internal employees to get the information to the outside world. The
existing model consists of two levels of firewall for malicious external hackers coming
inside the company. The existing model does not have an alert or a rule to monitor or to
block the employees to send sensitive information to the outside world.
This paved the way to develop a new security model to protect the intellectual property of
GWC. After the initial discussion with the senior members of the business and
information technology it was decided that we should analyze the existing security
models and policies and come up with a new effective model to protect the intellectual
property of GWC.
6.2 IPMS Recommended Network Design
MODE
STACKSPEEDDUPL XSTATMASTRRPSSYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catal yst 3 750 SER IE S
1 2
MODE
STACKSPEEDDUPL XSTATMASTRRPSSYST
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
Catal yst 3 750 SER IE S
1 2
MO
DE
ST
AC
KS
PE
ED
DU
PLX
ST
AT
MA
STR
RPS
SY
ST
12
34
56
78
91
01
11
2
1X
2X
11
X
12
X
13
14
15
16
17
18
19
20
21
22
23
24
13
X
14
X
23
X
24
X
Cata
lyst
37
50
SE
RIE
S
12
Figure 6: IPMS recommended GWC Network Design
Data Analysis is done using Intellectual Property Management System guidelines data
classification and with the integration of the third party Data Loss Prevention tools. The
IPMS design and architecture compromises of Strict policies and guidelines along with
network packet capturing devices installed at the span ports of the core switches as shown
in the above proposed IPMS network diagram for Global Wafers Corporation.
The IPMS framework model is used from the corporate security team to identify the
critical data and group them under one consolidated system to be protected. The third
party data loss prevention tools helps the security team to consolidate the views of all
critical systems, and group them to view all the violations taking place in GWC Network.
Create Alert Filters and actions that will automatically notify the security team when
violations occur in GWC network. This also established the need to create customized
enterprise reports that will provide detailed violations list to investigate using the case
management tools as explained in the upcoming sections of this document.
6.3 Data Loss Prevention tool Integration The data loss prevention third party tool (DLP) is divided into three categories: (1) Data
Discovery Tool, (2) Data capture Tool, and (3) Data Monitoring Tool. The design
proposed by the IPMS framework is shown below in the diagram where to place all the
three network packet capturing devices in the GWC network.
Figure 7: Data Loss Prevention third party tool integration in GWC
Source: www.dlpindepth.org/pdf/reconnex/RCX_InSightConsole_DS.pdf The valid Data Analysis is done using IPMS guidelines data classification and with the
integration of the third party DLP tools as explained below:
6.4 Discovering Data at Rest
6.4.1 Search by Repository Type The plug-in provided by the DLP tool searches and indexes all the data, which is
classified in the IPMS framework by scanning the repository types, which is defined by
the IPMS. Then it searches for that repository types from the DLP tool’s discovery plug-
in. This plug-in supports document registration and crawls all the data in the GWC
network when a discovery operation is initiated. The discovery operation is performed
along with the indexing as a automatic progress in the background defined by the IPMS
framework. This index is used to search by the DLP tool for valuable information, which
passes on the network inbound and outbound traffic.
Steps involved behind the DLP discovery Plug-in is explained below:
Go to Capture section Advanced Search as shown in the below screenshot
Double click the Discover category
Select the Appropriate Repository Type
Select a condition as show below
And enter the appropriate repository type in the Value field (In this case it is CIFS
windows share as explained in the previous data classification section).
6.4.2 Search by the Signature Percentage Match Every sensitive/confidential document is registered by the DLP Discovery Plug-in will
contain thousands of signatures to identify all the relevant little portions of that
document. When we try to retrieve a signature percentage match, each indexed/registered
document will be evaluated according to the percentage specified. The DLP Discovery
Plug-in will search all indexes created by scans for Indexed/registered documents that
meet the criteria specified in the tool. Only the Results are returned for the documents
that meet the limits, which we have defined in the Policy or search. Other documents are
discarded, which exceeds the limit or deviate from the Policy/Search or condition we
have selected. This search process always will assume that we have registered the
relevant content.
Steps involved behind the Document Indexing and Registration is explained below:
Go to Capture section Advanced Search as shown in the below screenshot
Double click the Discover category
Select the Appropriate Repository Type
Select a condition as show below
As an exact percentage match is not likely be practical, we can ask that the match be
greater than or less than the percentage we specify.
Enter a value as shown below for a 75% match of the sensitive document traveling in the
network.
6.4.3 Search by the File PATH Search by File Path in the DLP Plug-in will find the absolute and relative file, which is
supported by Windows/UNIX operating systems that have been indexed in the third party
tool databases. The Discovery Plug-in will search all indexes created by repository scans
for the file path we define using the IPMS framework model.
Go to Capture section Advanced Search as shown in the below screenshot
Double click the Discover category
Select the Appropriate Repository Type
Select File Path needed.
Select the correct condition and enter the file path as shown below.
6.4.4 Search by the File Size We can limit and refine the searches to files of a certain size using the example below
The Discovery Plug-in will search all indexes created by repository scans for the file size
we define using the IPMS framework model.
Go to Capture section Advanced Search File Information as shown in the below
screenshot.
Select the Repository Type
Select File size needed
Select the condition as shown below and enter file size.
the user, then constructing a valuable search to retrieve all information under that.
Go to Capture Plug-in Tool and click the advanced Search toolbar.
Open the Source/Destination category.
Search the employee by relevant parameters as shown below:
6.4.5 Data Capture Investigating an employee’s Internet activity inside the company will need third party
tool plug-in for logging and documentation. After suspicion of the company’s policies,
we can monitor a user’s activity by searching by his user id, email address, IP to identify
7 Economic Justification
7.1 Executive Summary
“Intellectual property is unique, as it is the fruit of personal creation and inventiveness. It
might be a poem that you write, the name your hairdresser thinks up to sell his or her
services, or a mother’s invention for a non-spill cup for babies. It can also be a Picasso
painting, an Akira Kurosawa film, Naguib Mahfouz novel, a new method of irrigation for
farmers in arid regions, the invention of the light bulb, a computer chip or a jet turbine
engine. In the future, intellectual property creators aim to deliver more abundant food
resources, clean energy and cures for illnesses from cancer to the common cold.”
(Intellectual property: Source of Innovation, creativity, growth and progress, 2005, p6).
In today’s technological era, employees are given freedom to access company’s data via
various methods inside and outside the company with various channels and gadgets. It is
hard to keep the information flow inside the organization for all the companies. We are
going to specifically address the security model and the information flow model for semi-
conductor based companies. Proactive steps must be taken to prevent unauthorized
disclosure of intellectual property and reactive steps must be taken to respond to
intellectual property theft. The primary focus of this project is to provide a practical,
realistic, and cost effective roadmap to safeguard intellectual property of Global Wafers
Corporation. We will identify the intellectual property of GWC Corp. And evaluate the
current mechanisms (if any) used by the company to protect IP, discover and document
the security controls needed by a semiconductor industry to protect its intellectual
property. This system provides a concrete list of requirements that can be used by the IT
and management team of the company to understand their security implementation and
justify the security expenditures to decision makers. This project is an internal project for
GWC and we do not any direct competitors and our only customer is Global Wafers
Corporation. For this project to be successfully implemented we will need an initial
investment of four hundred and six thousand dollars from Engineering department of
GWC. The market size for our project is very large in scope; GWC has incurred losses of
$5 Million on year 2008 and will steadily increase if there is no proper security procedure
in place. The IPMS project will be carried out for 10 months in the year 2009; we have
assumed that by implementing our project GWC will be able to save about 10% of the
losses ($5 Million) in year 2010, 15% in year 2011 and about 20% in 2012. Hence our
proposed solution will result in net savings of $ 593,600 by the end of 2012 and we will
break even by late (Q3-Q4) of fiscal year 2011. The calculated return on investment
(ROI) by the end of 2012 will be 145%.
7.2 Problem Statement In today’s economy, most of the companies are investing in research and development
than in new plants and equipment. Since intellectual property is an intangible asset, it is
more vulnerable to theft. Regardless of size or kind of business, every organization is
faced with a complex challenge of protecting its critical digital assets. Digital assets
include hardware design, source code, customer databases, financial records and product
launch strategies. Organizations get their competitive edge and differentiation in market
place using these information assets and intellectual property (IP). Hence IP is considered
to be the root of their public reputation and enterprise brand.
In this technological world, information is exposed in number of ways and the
organizations face risks in multiple ways:
Accidental disclosure by employees
External hackers and malicious insiders
Servers/networks being improperly configured or unsecured
Failure to follow proper business practices leading to end user misbehaviour
Accidental misuse of IT infrastructure posing serious risk to information
Based on an independent survey carried out by Ponemon Institute in November 2008,
92% of IT security practitioners report their organization had a cyber criminal attack. The
survey included 825 respondents in IT operations and 577 respondents in IT security, the
following bar graph shows the results of the survey.
Figure 8: Survey- Organization having cyber attacks Source: 2009 Security Mega Trends Survey (P4) Global Wafers Corp., experiences several thousands of network attacks every hour and
from several places in the world. There have been several incidents in GWC where
critical IP was compromised and competitive edge was lost. From these incidents a
necessity was created for an effective Intellectual property protection.
7.3 Solution & Value proposition
The primary focus of this project is to provide a practical, realistic, and cost effective
roadmap to safeguard intellectual property of a semiconductor industry. This proof of
concept system identifies the intellectual property of GWC Corp. evaluates the current
mechanisms (if any) used by the company to protect IP, discovers and documents the
security controls needed by a semiconductor industry to protect its intellectual property.
This system provides a concrete list of requirements that can be used by the IT and
management team of the company to understand their security implementation and
justify the security expenditures to decision makers.
This project will provide the necessary guidelines to safeguard the company’s intellectual
property based on cost/benefit analysis and risk management factors, so that the company
can retain their competitive edge in the market. The proposed solution will address the
loopholes in the current security processes and identify a security product available in the
market based on cost/benefit analysis and risk management suited for the semi-conductor
industries. The proposed model is intended to work for semi-conductor companies, which
have distributed network environment for Engineering and Manufacturing divisions. All
digital assets at GWC cannot be protected from every possible attack due to practical and
financial infeasibilities. The business impact should be considered in determining
which security measures to put in place for a given Intellectual property. The project
will not be addressing all the security controls imposed by FISMA and PCI standards
council. The new security model will be cost effective as it requires minimal capital
investment for its development. Using the available resources internal like manpower and
company’s infrastructure we will be able to complete the project within 10 months and
also the specified budget in control. Our team will provide maintenance and support for
three years benefiting the company up to three years from this project, satisfying both
short term and long term costs.
7.4 Market Size Based on the chart below, it can see that between 2006 and 2010, the losses due to
security breaches in Global Wafer Corporation will almost be twice the amount. The
losses are incurred because there is no proper security procedure in place. This gives us a
huge potential to target the security system which is at threat. At this point in time we are
concentrating only on Global Wafers Corporation, in future upon successful
implementation of IPMS, we shall consider other companies in semi-conductor as our
potential customers.
Figure 9: Losses due to security breaches in GWC
Source: Industry Sponsor Intellectual Property Management System is a customized solution for our customer
Global wafers corporation and GWC is providing us with an initial investment of four
hundred and six thousand dollars for developing and implementing our solution.
7.5 Competitors Intellectual property management systems is an internal project for Global Wafers
Corporations and our team will act as internal consultants to the company, therefore we
believe do not have any direct competitors. A lot of time has been spent in analyzing their
business needs and our solution is custom made for the engineering department of GWC
which targets their security issues. At this point we will not develop and implement a
similar solution to any other company other than Global Wafers Corporation.
However, we can still have indirect competition from consulting companies who
specialize in providing security solutions to semi-conductor companies like Global
Wafers Corporation. Examples of the consulting companies which specialize in providing
similar solutions would be IBM Internet security systems, Software Security solutions,
RSA security (EMC), VeriSign, Entrust systems etc.
7.6 Customers Our only customer at this point is Global Wafers Corporation. Our team will sell
Intellectual Property Management System solution to the senior management in particular
the VP of engineering department of Global Wafers Corporation. After we successfully
implement IPMS solution at GWC, we will plan to provide a similar solution to other
companies in Semiconductor Industry. In future our customer base would be Applied
Materials, KLA Tencor, National Semiconductors, Semi and Hynix.
7.7 Total Cost
The total cost for developing a new security model for the engineering department of
Global Wafers Corporation is about four hundred and six thousand dollars. The new
security model will require three vendor products, which will be used to monitor the
protocols over the security network. All three products will be purchased from a single
vendor. Each product will cost about fifty thousand dollars. Infrastructure for 10 months
to support the project is estimated to cost around one hundred and twenty dollars. IPMS
solution is estimated to provide financial benefits for three years. Now, the following
tables give an estimate of fixed and variable cost.
7.7.1 Fixed Cost
For our proposed IPMS solution, there are three major fixed costs. Since it is a one-time
investment for Global Wafers Corporation, the employees and the infrastructure to
support them is being considered as fixed cost.
Type of costs Costs
Manpower $91,400
Infrastructure $120,000
Vendor product $150,000
Total $361,400
Table 3: Fixed Cost
Manpower Cost The manpower cost is shown in the following table. Since, most employees are full-time
employees, they will be providing few hours of their time to this project. The break of
their time along with the phases is as shown:
Manpower Cost
Phase No. of Weeks
No. of hours
No. of Employees Cost/hour
Total hours Cost
2 40 Windows Admin $70 80 $5,600
2 40 Unix Admin $75 80 $6,000
2 40 Cleascase admin $80 80 $6,400
2 5 IT manager $105 10 $1,050
Initiation
2 10 Security Analyst $85 20 $1,700
3 40 Windows Admin $70 120 $8,400
3 5 Unix Admin $75 15 $1,125
3 5 Cleascase admin $80 15 $1,200
3 5 IT manager $105 15 $1,575
Define
3 10 Security Analyst $85 30 $2,550
5 40 Windows Admin $70 200 $14,000
5 5 Unix Admin $75 25 $1,875
5 5 Cleascase admin $80 25 $2,000
5 5 IT manager $105 25 $2,625
Plan
5 10 Security Analyst $85 50 $4,250
22 5 Security Analyst $85 110 $9,350 Development
22 5 VENDOR $65 110 $7,150
9 5 Security Analyst $85 45 $3,825 Validate
9 5 VENDOR $65 45 $2,925 2 5 Unix Admin $75 10 $750
Deploy 2 40 Security
Analyst $85 80 6800
Total 1190 $91,400 Table 4: Manpower Cost
7.7.2 Variable Cost
As the project progresses, we anticipate some hidden costs which could get neglected and
result in incorrect cost estimation. Below are the variable costs which are identified for
IPMS solution:
Cost Contributors Cost in dollars
Employee Training $25,000.00
Time spent on Review and Approval
process by Management
$20,000.00
Total Cost $45,000.00
Table 5: Variable Costs
7.7.3 Maintenance Cost
The security model once developed will require annual maintenance. The cost is
calculated for three years. It will require one Security analyst to maintain the security
network, giving about two hours per week. The calculations are shown as follows:
Maintenance Cost FY 2010 FY 2011 FY 2012 Security Analyst @ $85/hour $44,200 $44,200 $44,200
Table 6: Maintenance Cost
7.8 Service Price Point Our sponsor/customer, the engineering department of Global Wafers Corporation has
agreed to pay us with initial amount of four hundred and six thousand dollars. Since we
are involving only internal employees, we are charging thirty percent less than
independent consultants. Also all of the team members have hands on experience in the
security for semiconductor industry, they are aware of the problems currently faced by
Global Wafer Corporation and hence will be directly involved in the project. This
differentiates us from the independent consultant as they will spend time and money in
training, knowledge transfer etc on their employees.
7.9 SWOT Assessment The SWOT assessment for IPMS solution is as follows:
Strengths Weakness
• Custom-made solution bespoke to
customer needs.
• Highly skilled GWC’s internal
employees forming the team.
• IPMS implementation is a one time
investment for GWC.
• Implementation fee is 30% lower than
Competitors.
• Not all security threats are covered
• Not all government regulations are
followed.
• Losses cannot be quantified.
Opportunities Threats
• Future wok like up gradation of the
current model.
• GWC may choose another consulting
company.
• Team members could quit GWC &
join competitors
Table 7: SWOT Analysis for IPMS
7.10 Investment Capital Requirements Our project requires an estimated capital investment from Global Wafers Corporation of
about $361,400 (fixed costs) from the beginning of 2009 to fourth quarter of 2009 to
successfully develop and implement the IPMS solution for the engineering department of
GWC. Below is the cash flow statement of our project for the year 2009. As shown in
the cash flow statement, we would require $115,000 in the first quarter of 2009, $140,000
in second quarter of the year 2009, $90,000 & $20,000 in the third and fourth quarters.
The same has been shown in the graph below and a detailed statement is shown in Table
8.
Figure 10: Cash Flow statement
Q1 FY'09 Q2 FY'09 Q3 FY'09 Q4 FY'09
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Total
Beginning Cash Balance $59,350 $19,550 $4,650 $131,650 $68,650 $5,650 $32,650 $17,150 $2,650 $3,600 $3,600
Cash Inflows: Global Wafers Corporation $115,000 0 0 $140,000 0 0 $90,000 0 0 $20,000 0 0 $365,000
Total Cash Inflows $115,000 0 0 $140,000 0 0 $90,000 0 0 $20,000 0 0 $365,000
Available Cash Balance $115,000 $144,650 $95,650 $22,650 Cash Outflows(Expenses):
Infrastructure $25,000 $20,000 $5,000 $10,000 $10,000 $10,000 $10,000 $10,000 $10,000 $10,000 $120,000 Vendor product $50,000 $50,000 $50,000 $150,000 Initiation $20,750 $20,750 Define $9,900 $4,950 $14,850 Plan $14,850 $9,900 $24,750 Development $3,000 $3,000 $3,000 $30,00 $3,000 $1,500 $16,500 Validate $2,500 $3,000 $1,500 $7,000
Deploy $7,550 $7,550
Total Cash Outflows $55,650 $39,800 $14,900 $13,000 $63,000 $63,000 $63,000 $15,500 $14,500 $19,050 $361,400
Ending Cash Balance $59,350 $19,550 $4,650 $131,650 $68,650 $5,650 $32,650 $17,150 $2,650 $3,600 $3,600 $3,600
Total Employee Hours 400 260 130 40 40 40 20 70 60 110 0 0 1170
Table 8: Cash Flow Statement
7.11 Personnel All the team members on the IPMS team will be internal employees of GWC. The team
will work on IPMS project for the duration of ten months. During the duration of ten
months, the team members will only give a small percentage of their time for this project.
We will require one person from the vendor to assist us while incorporating the vendor
product into our security model. A detailed list of the manpower estimation is given:
Title Role(s) Organization E-Mail Address
IT Manager
Provide direction and control of project personnel in order to provide a framework for project communications, reporting, and procedural and contractual activities.
Unix Admin
Maintain the infrastructure of network like switches and routers. Is an expert in computer and network security. Maintain the firewalls of the system network.
Windows Admin
Administer, support and maintain Windows servers. Provide and maintain the user credentials.
Clearcase Admin
Administer, support and maintain Clearcase servers. Responsible for configuration control management.
Security Analyst
Develops and communicates the security policy of the organization. Perform a security analysis of the system, data, hardware and software components
Vendor Consultant
Implements the Vendor specific product in the application and provides the necessary guidelines to maintain and trouble shoot the vendor product.
Vendor Company
Table 9: Team Roster
7.12 Business Revenue Model As internal consultants for Global Wafers Corporation, we have to first compute the
returns our project will fetch to the company. Therefore, in order to compute the returns
we have made a few assumptions. The first is the losses are five million dollars in the
year 2009. The second assumption is that by implementing IPMS, we will reduce 10% of
the losses in year 2010, 15% reduction is year 2011 and 20% reduction of losses in year
2012. The business revenue model depicting the same is shown below:
FY 2009 FY 2010 FY 2011 FY 2012 Investment $406,400 $44,200 $44,200 $44,200
Fixed Expenses
Employee $91,400 0 0 0 Infrastructure $120,000 0 0 0
Vendor Product $150,000 0 0 0
Variable Expenses
Employee Training $25,000 0 0 0
Review & Approval Time
$20,000 0 0 0
Maintenance Cost $0 $44,200 $44,200 $44,200
Total Expenses $406,400 $44,200 $44,200 $44,200
Reduction of Losses (%) $0 10 15 20
Reduction of Losses $0 $500,000 $750,000 $1,000,000
Returns ($406,400) $93,600 $343,600 $593,600
Table 10: Business Revenue Model
7.13 Break Even Analysis Based on the income statement, we have plotted the Profit & Loss graph followed by
Break-even analysis graph. Figure bellow depicts the said graphs.
Figure 11: Profit and Loss Graph
Figure 12: Break Even Analysis Graph
7.14 Return on Investment
As per the cash flow statement, we will require about $406,400 of capital investment
from Global Wafers Corporation to successfully develop and implement Intellectual
Property Management System. As per our calculations, we will have net returns of
$593,600 by the end of year 2012 as seen in our Business & Revenue Model. Hence,
ROI = [(Savings per year)/Cost of Investment] * 100
YEAR 2010 2011 2012
20% Discount on the investment $35,360 $35,360 $35,360
ROI (%) -86.77 7.78 144.80
Table 11: ROI Table The ROI of IPMS is 145%, which shows the financial benefit of implementing IPMS
8 Risk Management
In today’s world, companies face number of varied risks. It is important for the
companies to assess the potential risks and analyze the trade offs. Risk can be defined as
the net negative impact which results as a combination of threat, occurrence of threat, and
vulnerability of the system along with impact of that threat on the system or organization.
Hence the organization must take steps to identify the possible risks, assess the identified
risk and reduce the risk to an acceptable level. “Risk management is the process that
allows IT managers to balance the operational and economic costs of protective measures
and achieve gains in mission capability by protecting the IT system and data that support
their organization’s mission.”(Stoneburner & Goguen, 2002, July, Risk Management
Guide for Information Technology Systems, P4)
The four basic steps in risk management are:
Risk assessment
Vulnerability assessment
Risk mitigation strategy development
8.1 Risk Assessment
The first phase of Risk management is Risk assessment which involves listing of all
possible risks to the Intellectual Property Management System. The mentioned risks are
then evaluated both for the frequency of occurrence and the impact of the event of an
occurrence. Qualitative risk Assessment, a method which uses value-based language such
as “high”, “medium” and “low” etc , has been used for evaluate the impact of these risks.
The following are the risks we have identified for Intellectual property management
systems at Global Wafers Corporation:
IT specific threats
Cyber threats
Loss of data or records
Hardware
Equipment failure (intentional, unintentional damage)
Power outage
Equipment theft
Software
Bugs, glitches
Data corruption
Data security breach (deleted, stolen, modified)
Infrastructure
Internet connection
Cabling
Routers, infrastructure hardware
System related threats
Incorrect User Privileges
Inadequate Application Design
Inadequate Review Process
8.2 Vulnerability Assessment Vulnerability is defined as the weakness, susceptibility, or exposure to hazards or threats.
The process of vulnerability assessment can be either qualitative or quantitative, but in
many cases a qualitative assessment is used. Various data sources are used in a typical
vulnerability assessment. The following table gives the Vulnerability assessment for
IPMS project, the risks and their source along with their qualitative evaluation of
vulnerability and the frequency of the occurrence is shown below:
Item
No. Threat Name
Threat
Source
Vulnerability
Rating Frequency
001 Incorrect User Privileges Internal High Constant
002 Inadequate Application
Design Internal Low Infrequently
003 Inadequate Review Process Internal Medium Frequently
004 Equipt failure (intentional,
unintentional damage) Internal Low Infrequently
005 Equipment theft Internal &
External Low Infrequently
006 Power outage External Low Infrequently
007 Bugs, glitches in application Internal High Frequently
008 Loss of data or records Internal High Frequently
009 Data corruption Internal High Frequently
010 Cabling Internal Low Infrequently
011 Routers Internal Low Infrequently
Table 12: Risk & Vulnerability Assessment Table
8.3 Risk Mitigation Strategy Development
Risk mitigation is defined as taking steps to reduce adverse effects. The data gathered in
the previous phases was used to develop strategies for managing risks in a manner that is
suitable for the IPMS project and Global Wafers Corporation. The developed strategies
will help in acceptance, avoidance, reduction or transferring of the risks to potential
business disruptions.
Risk Mitigation Approach
Incorrect User Privileges Provide Right access for the Right people,
ensuring individual access. Implement
privileged access approval processes.
Install self-certification process.
Inadequate Application Design Incorporate Single-Sign on platform for the
application and central authentication
authorisation via a registry. Tightly
controlled password access. Built in rules
for individuals and groups for access.
Inadequate Review Process Implement a review process as a result and
follow-up event of the “clean” up at both
the Application and Environments levels.
Equipment theft Having security procedures in place. These
include controlling access to the ground,
the buildings, and certainly to the inner
offices, labs, server rooms and other areas
within the building that contain expensive,
sensitive, or strategic materials. Implement
strong encryption on all equipments that
deal with sensitive data and make sure
users understand the importance of
encryption.
Bugs, glitches in application Implement strong Quality Assurance and
Control measures/standards to detect and
remove bugs and glitches in the
application.
Loss of data or records Restrict access to the systems residing
sensitive data.
Implement daily backup process to reduce
likelihood of significant data loss and to
reduce recovery time.
Data corruption Restrict access to the systems residing
sensitive data. Implement daily backup
process to reduce likelihood of significant
data loss and to reduce recovery time.
Cabling, Routers/Infrastructure Hardware Provide redundancy hardware
Table 13: Risk Mitigation Table
9 Project Schedule
9.1 First Phase
Table 14: First Phase Project Schedule
9.2 Second Phase
Table 15: Second Phase Project Schedule
10 Conclusion Accidental or unintentional, sensitive documents are often found exposed on corporate
networks. IPMS Framework is used to identify unknown services on the network that are
hidden. Getting statistics on the websites visited from the employees on a daily basis
allows to use the Internet to complete their job duties, will protect corporate security
policies. IPMS framework is used to investigate a employee’s online activity, if we
suspect unethical or illegal activity and to take action against them to protect GW
Corporation assets. IPMS finally will find all the sensitive data leaked in the current
process of GWC and it wades through all the reams of data to support legal action by
allowing GWC to examine the content that has left the corporation.
Intellectual Property Management System (IPMS) is an internal project to Global Wafers
Corporation. IPMS focuses on the loopholes in the current security processes and
implements a security product available in the market based on cost/benefit analysis and
risk management suited for the semi-conductor industries. The new security model is cost
effective as it requires minimal capital investment for its development. Using the
available resources like internal manpower and company’s infrastructure we have been
able to able to complete the project within a rigid duration and also maintaining the
budget in control. The company will benefit up to three years from this project, satisfying
both short term and long term costs. Since Intellectual property management is an
evolving field, we found his project very challenging and required thorough
understanding of the Intellectual Property rights and IT security domain and will gave us
an opportunity to learn and apply both the engineering and management aspects.
11 References
Shanmugam Parasuraman and Divya Kempaiah, Intellectual Property Management System Final Project Scope, ENGR 281, Fall 2008.
Intellectual Property: Source of innovation, creativity, growth and progress (2005, August). International Chamber of commerce. 20.
Christopher Burgess and Richard Power (2006, July). How to Avoid Intellectual Property Theft. CIO Magazine.
Investigating Intellectual Property Theft. Setec Investigations.
Xiaocheng Ge, Fiona Polack and Regine Laleau. Secure Databases: an Analysis of Clark-Wilson Model in a database environment. Department of Computer Science, University of York
What is a security model (Retrieved from
http://www.crazylinux.net/downloads/projects/sec_models.pdf )
Cunningham, Dykstra, Fuller, Gatford, Gold, Hubbard, Little, Manzuik, Morgan, Pfeil, Rogers, Schack and Snedaker (2007). The best damn IT Security Management book period. Syngress Publications.
Information Security Management Handbook By Harold F. Tipton, Mick Krause
Network Security: The Complete Reference By Mark, Roberta and Strassberg
Security Engineering: A Guide to Building Dependable Distributed system by
Ross J. Anderson.
Gary Stoneburner, Alice Goguen & Alexis Feringa (2002, July). Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, 54. Special Publication 800-30.
Richard P. Tracy (2007), IT Security Management and Business Process
Automation: Challenges, Approaches, and Rewards. Information Systems Security, V 16, 114–122.
Hasan Cavusoglu, Huseyin Cavusoglu, Srinivasan Raghunathan (2004),
Economics of IT security management: Four Improvements to current security practices. Communications of the Association for Information Systems, V14, 65-75.
Gregory J.Millman (2008, March). Changing Face of IP. Financial Executive, 6,
34-39.
Michael S. Bowman (2003). Applied Economic Analysis for Technologists
Dr. Larry Ponemon (2008, November). 2009 Security Mega trends Survey.
Ponemon Institute LLC.