2012

April

How to protect your company’s intellectual assets

Information SecurityManagement forIntellectual Assets

How to protect your company’s intellectual assets

Information SecurityManagement forIntellectual Assets

How to protect your company’s intellectual assets?

Information Security

Intellectual Assets

The organization's Intellectual Assetsinclude, among other, the know-how,trade secrets, knowledge about howthe business operates, which theorganization uses to achieve success.

Identify your Intellectual Assets, analyzethe importance of each to yourorganization considering its strategicobjectives, analyze the risks they areexposed to, develop and implement theprocesses necessary to protect them, andmaintain a continuous process ofmonitoring.

“Securing theintellectual assets ofan organizationdepends on thewillingness of theorganization toidentify these assets,understand howthese assets help tothe success of thebusiness and makethe decision toprotect them.”

PwC

Organizations always refer to"information security" or "IT security",but not to the security of theorganization's intellectual assets(hereinafter the "IA"). The IAs arebased on the knowledge of theorganization and developing themrequires a long time and manyresources. The IAs are developedbased on the organization’s process ofcontinuous improvement andinnovation, through which it turnsorganizational knowledge into productsand services that have a commercialvalue.

An organization’s processes ofcontinuous improvement and innovationcall for interaction with both internalprocesses and external entities (noperson or company owns all theresources and expertise necessary tomeet all its objectives), and it is in theseinteractions where security becomesimportant, since the knowledge andcapabilities of the organization are itscompetitive edge and should remainprotected.

A continuous improvement process(see Graph 1) verifies what failures orproblems are identified within theprocesses and generates correctiveand preventive actions, which ultimatelyare reflected in the way in which theprocess operates (this mode ofoperation differentiates oneorganization from another, since theprocesses contain know-how).

Graph 1- Continuous improvement process

When Know-How is incorporated withinorganization’s processes, thisprocesses become IAs, and therefore itis vital to protect them.

The protection can be accomplished byimplementing technical, administrativeand even physical controls, such as:

Technical: Data encryption,control on the logical access todocument repositories.

Administrative: Contracts andnon-disclosure agreements.

Physical: controls on access tooffices and physical files.

However, it is necessary to conduct arisk assessment to determine what themost critical controls are that should beimplemented to protect these IAs.

PwC

An organizational innovation process(see Graph 2) is fed through ideas,research, experimentation, product andservice failures, and ultimately throughthe Company’s strategic planning thatgenerates organizational objectiveswhich get the organization tonecessarily innovate.

Graph 2 – Innovation process

Information security aspects to beconsidered at each stage of theinnovation process are definedaccording to risk assessment; howeverit is clear that confidentiality (andcontrols related to it) is the mostimportant aspect to be covered tosecure the process.

Controls such as: background checks,data encryption, logical access controland strong authentication, control onaccess to offices, communicationsmonitoring, restricted access toexternal mail and messaging, amongothers, are just some of the mostimportant controls to be implemented.

Bringing informationsecurity to the IAs

Bringing information security to thepoint of protecting the organization’sIAs entails a new challenge in theprotections that organizations mustimplement on their entire knowledgeinfrastructure; while innovation andknowledge management are not newfor organizations, the security of theseassets is particularly an evolution intheir models of information securitymanagement.

Just as the IAs of the organization arepart of the organization’s organizationaland operational knowledge, these areoften supported on informationtechnology assets, making it necessaryto consider the value of IT and itsalignment with the strategic businessobjectives, which will bring greaterbenefit from the investment made forthe protection of the assets.

Today, organizations are faced withmaking effective management ofinformation technology (following ITIL)and considering standards for anadequate IT governance modelallowing to properly manage risk and toensure compliance with industryregulations. Hence the need for amodel that integrates the mostimportant and accepted best practicesstandards and codes for riskmanagement, information security andcontrols that support the governanceand delivery of IT services.

This IAs security approach can bealigned with ISO / IEC 27002, byrelating its security control to thesecurity requirements of the innovationand continuous improvementprocesses, so that the security of theorganization can be managed as awhole.

CobiT and its governance frameworkwithin the management strategy, willallow greater control as to theeffectiveness of implemented controlsand how flaws are managed andcorrected during the process ofoperation and continuous improvement;ITIL provides guidance on how toimplement the different guidelinesdefined by ISO 27001 and CobiT.

Graph 3 – Integration of ISO 27001, CobiT and ITIL

Felipe Silgado

CISSP, CISM, CRISC, ISO27001 LA

He is a TRS Manager (Technology RiskServices) for the Advisory line of serviceat PwC Colombia and is currently theLeader of the Information SecurityOutsourcing Services and the SOC(Security Operations Center). He hasover 11 years of experience ininformation security in more than 100companies, both domestic andinternational, from different industries.

He has developed and managed projectsof design and implementation ofInformation Security ManagementSystems, ethical hacking tests, riskassessments, classification ofinformation, design, implementation andoperation of SOC services, auditing ofinformation security managementsystems, among others.

He has excellent skills in informationsecurity project implementation andmanagement, adding value to clients.

PwC

Integrating ISO 27001,CobIT and ITIL as aframework to protect IAs

Taking into account the ISO / IEC27002, it is possible to identify thosesections that are more relevant to theprotection of the organization’sinnovation process. There is also arelationship with the CobiT framework,so that the process for securing the IAshas a government support:

Human Resources Security(Section 8): Controls fromrecruitment to termination ofemployment, to keep the IAsprotected.

It is supported on the PO7objective (Human RecourcesManagement)

Acquisition, development andmaintenance of informationsystems (section 12): Protection ofsystems and applications thatsafeguard the AIs information.

It is supported on the objectives:- AI07 Install and Credit

Solutions and Changes- AI06 Manage Changes- AI03 Acquire and Maintain

Technology Infrastructure- AI02 Acquire and Maintain

Application Software

Communications and OperationsManagement (Section 10):Protection of the communicationsthrough which AIs information issent, received or transferred, aswell as encryption of allinformation.

It is supported on the objectives:- PO4 Define the IT Processes,

Organization andRelationships

- AI06 Change management- DS1 Define and Manage

Service Levels- DS2 Manage Third Party

Services- DS3 Manage Performance

and Capacity- DS5 Ensure Systems Security- DS11 Manage Data

Physical and environmentalsecurity (Section 9): Protection ofcompany facilities to prevent leaksof IAs information.

It is supported on the objectives:

- AI03 Acquire and maintaintechnology infrastructure

- PO4 Define the IT Processes,Organization andRelationships

- DS5 Ensure Systems Security

Access control (section 11):Controlling access to the IAs tomaintain levels of confidentialityand access to them.

It is supported on the objectives:

- PO2 Define the InformationArchitecture

- PO6 CommunicateManagement Aims andDirection

- DS5 Ensure Systems Security- AI01 Identify Automated

Solutions

Compliance (Section 15):Protection of IAs through contracts,compliance with copyright laws,generating license agreements,patent licensing, among others.

It is supported on the objectives:

- PO4 Define the IT Processes,Organisation andRelationships

- PO6 CommunicateManagement Aims andDirection

- AI02 Acquire and maintainapplication software

- DS5 Ensure Systems Security

Incident management (Section 13):Monitoring IAs and managing AIssecurity incidents.

It is supported on the objectives:- PO9 Assess and Manage IT

Risks- AI02 Acquire and maintain

application software- DS5 Ensure Systems Security- DS8 Manage Service Desk

and Incidents

Ricardo Herrera

CISSP, CEH, GCFA, ISO27001 LA

He is a Senior TRS Consultant(Technology Risk Services) for theAdvisory line of service at PwCColombia. He has more than 5 years ofexperience in information security inseveral companies of the private andgovernment sectors, both domestic andinternational.

He is experienced in the definition andimplementation of Information SecurityManagement Systems (ISMS) based onISO / IEC 27001, Disaster RecoveryPlans (DRP) and Business ContinuityPlans (BCP) based on BS25999-1: 2006and BS25777: 2008.

He has a strong knowledge of thedevelopment of information security testsfor technological infrastructure (Certifiedas Ethical Hacker with the EC-Council)and forensic tests.

PwC

Conclusion

If the Company’s innovationprocess information and know-howare not properly protected, theorganization may be more exposedto the materialization of IAs inherentrisks, thus impacting its businesscontinuity and allowing competitorsto take advantage of this weakness.

There are several informationsecurity frameworks that can leadthe organization to protect their IAs,but it is always recommended touse existing standards andframeworks accepted worldwide,as, since these contain the bestpractices that other organizationshave identified to protect theirassets.

How can PwC’s Information SecurityAdvisory Services help your organization toprotect and maintain secured your IAs andyour company’s Know-How?

Contact us:

Jorge Mario AñezPartner – AdvisoryTel: +57 1 6340555 ext. 207jorge.anez@co.pwc.com

PwC

Felipe SilgadoManager - IT Effectiveness - TRSTel: +57 1 6684999 ext. 204felipe.silgado@co.pwc.com