Open Framework, Information Management Strategy & Collaborative Governance | Data & Social Methodology - MIKE2.0 Methodology
Wiki Home
Collapse Expand Close

Collapse Expand Close

To join, please contact us.

Improve MIKE 2.0
Collapse Expand Close
Need somewhere to start? How about the most wanted pages; or the pages we know need more work; or even the stub that somebody else has started, but hasn't been able to finish. Or create a ticket for any issues you have found.

Are You Protecting Your Enterprise Content

From MIKE2.0 Methodology

Jump to: navigation, search

Everyone who reads newspapers today sees articles about lost information: patent research compromised, important e-mails lost or destroyed illegally, credit cards information compromised, identities stolen, companies penalized for not responding in a timely manner to eDiscovery requests. These headlines strike fear in the hearts of C-level corporate officers – or should.

Identify the problem first

Chief Risk Officers (CRO), Chief Legal Officers (CLO), Chief Security Officers (CSO), and CEOs should ask themselves honestly if they are doing everything they can to protect their intellectual property and sensitive corporate documents. At a bare minimum they should ask themselves the following questions:

  1. Do we have an enterprise strategy for protecting sensitive information?
  2. Do we have one person or group responsible for establishing and enforcing an information protection policy?
  3. Can we control documents that pass outside the firewall?
  4. Can we control interdepartmental and intradepartmental access to sensitive information?
  5. Can we track and control access to e-mail attachments sent to non-employees?
  6. Can we control access to information after it is downloaded to a hard drive?
  7. Can we attest that all information policies are followed?
  8. Can we prove that a document has not been unlawfully copied?
  9. Can we provide an audit trail of access to all key corporate documents?
  10. Do we know where our sensitive information is at any point in time?

If the answer to any or all of these questions is “no,” the enterprise faces serious risks of content compromise.

Add to these questions the increasingly complex world of regulatory compliance (HIPAA, Sarbanes-Oxley, Data Protection Act for the European Union, Gramm-Leach-Bliley Act, DoD 5015.2, and the new Federal Rules of Civil Procedure for eDiscovery) and C-level executives have plenty to worry about.

Just a few years ago, protecting sensitive information was a matter of keeping the ‘bad guys’ out. The focus was on access and availability. The threats were denials of service, network intrusion and external attacks. The approach was to install firewalls, IPS/IDS, and anti-malware. And the solution was to build and protect the perimeter.

Today, executives must assume that the ‘bad guys’ are already inside. The threats are breach of privacy, theft of intellectual property, and insider attacks. The focus has shifted to persistent control and accountability. The approach centers on identity management and data encryption. And the solution is to manage and protect the information itself.

The good news is that such risks can be prevented with planning and forethought. ‘Procedural and technical padlocks” can be placed on intellectual property.

Identify what needs to be reviewed

BearingPoint believes there are five areas an enterprise should review to secure its content.

The first is a complete review of all information-relevant policies, including record retention and disposition, usage, and e-mail access among others. It is not sufficient to have a policy if it is not enforced and enforceable. Therefore, executive approval and sponsorship for implementation of content protection policies is mandatory. Retention and disposition schedules should be developed, implemented consistently across the enterprise, and reviewed periodically. Policies must be communicated to all effected employees who must attest to their knowledge of the policies and their willingness to comply with them.

Next, procedures should be developed and communicated throughout the enterprise. Wherever possible, processes should be automated, centralized and implemented consistently. These procedures must support the goals of the enterprise.

People must understand the importance of compliance because there must be consequences for non-compliance. Performance measurements should be designed and implemented in all business units and supported by IT. Compliance policies and procedures should be reviewed annually by every employee as a criterion of continuing employment. Training curricula should be created and all effected employees should be trained and monitored to insure compliance.

Clear and concise communication plans should be developed and approved by executive leadership. Measurements of the plan’s effectiveness should be developed and implemented.

Lastly, BearingPoint believes that an enterprise should invest in technical solutions to prevent the unauthorized use of intellectual property. Technology must protect a document at both the document and page level. Further, it must provide detailed audit trails and real-time monitoring functionality.

Get started

BearingPoint believes that assessing the problem is the essential starting point. By addressing the five elements above – Policies, Procedures, People, Communications and Technology – in that order provides a roadmap for protecting intellectual property. An enterprise must align its strategic plan with its business strategy, codify how critical decisions are made and develop risk mitigation plans. It must review its processes and not be afraid to change them. It must review gaps in its current information management technology. The enterprise should focus on software products that are already available, such as EMC’s Information Rights Management Services software, because the responsibility for performance belongs to the vendor, not to the IT department. Under no circumstances should an enterprise fall victim to the IT department that feels it can develop a tool for internal use. Over time, these tools fail and failure has a steep price.

An enterprise should honestly look at the financial implications of not protecting its sensitive information. This should not be a decision based on the cost of purchasing and implementing the software. This should be a decision based on whether or not an enterprise can afford the risk of compromised intellectual property.

An enterprise should not underestimate the impact of intellectual property management decisions on the people who must implement them. People by nature are resistant to change. Incentives for compliance and consequences for non-compliance must be thoroughly communicated throughout the enterprise.

At the end of the day, C-level executives must ask themselves if they can postpone the inevitable and wait until their sensitive information is compromised. They should be proactive and protect their information immediately. Forward thinking encourages careful attention to the areas that should be reviewed. When policies and procedures are supported by technology (and not the reverse) an enterprise is ready to mitigate risk and control costs.

Wiki Contributors
Collapse Expand Close