The establishment of sound security policies and procedures is vital to the protection of intellectual property assets. However, it is the enforcement and maintenance of those policies and procedures that is key.

-  Information security

-  Staff security awareness

-  Access control 

-  Key positions

-  Confidentiality

-  Third party service providers

Information Security

One of the leading vulnerabilities to a corporation is not the physical network itself, but the unprotected documents and data within a company. Many enterprises are trying to meet the challenge of accessing, managing and tracking their intellectual property. Protecting these assets requires a different dynamic.

Organizations that have had proprietary information taken illegally do not always know a breach occurred. Once they become aware, charging accused perpetrators is often difficult as the act requires the victimized company to prove where the information originated and who actually owned it. In addition, the company must also prove that it made efforts to protect it, a process often referred to as “due care.”

Information Security (the protection of the data itself) should not be confused with IT Security (generally the protection of the systems). Full implementation of a comprehensive Information Security programme  requires an understanding of what key data is held within the organization and then where and how it is stored and who has access. The programme then requires the integration of electronic protection measures, physical security measures, training and an understanding of who is allowed access.

Both domestic and foreign-invested companies typically suffer from low levels of security awareness in China. Staff are frequently unaware of security policies, what constitutes a security breach and how on a daily basis they should work to ensure the security of company assets. With regard to intellectual property, although staff may be aware of the most critical assets (i.e. formulas, production methods, financial information, etc.), the value of other business information, such as employee, customer and product lists, may not be acknowledged and therefore inadequately controlled.
 

Awareness building programs are fundamental to the success of any operational security strategy regarding intellectual property protection and should be conducted regularly. Security systems and policies, after all, are only as good as the people using them. In the case of intellectual property protection—where the loss of a single document can constitute a significant security breach—particular attention should be focused not only on educating and training security guards, but also ensuring that all staff understand the value of company information and are up-to-date on best methods of information protection. Some systems, however, should remain confidential and restricted from staff-wide awareness training programs for the reason that staff who are completely informed of all company intellectual property protection methods are also best-suited to circumvent those procedures.

Our Recommendations:

- Define company security policies clearly and concisely and ensure that they are readily available to all staff members.

- Ensure that all company intellectual property assets are also well defined and made known to staff members. 

- Raise awareness to the importance of security by conducting staff security awareness training—perhaps as a portion of the company’s induction program—and regularly discussing security issues during management meetings.

- Monitor staff regularly to ensure compliance with security policies.

Access Control

Site entrance and exit should be closely monitored,, including maintenance and review of comprehensive documentation, and security systems should be implemented in full. Audit logs, if kept, documenting entry and exit of the site and facilities are often poorly maintained and infrequently reviewed. Security systems, such as infrared barriers, are sometimes not activated; more often than not, they are not used to their full potential. Security guards are also generally timid towards foreigners, and will often allow access to sites unchallenged. 

Our Recommendations:

- Install an access control system to restrict access by area and time, and log all access to the site and facilities therein.

- Consider conducting a security and threat assessment of the site to identify vulnerabilities in the current security system and procedures.

- Ensure regular maintenance is carried out on existing security systems.

- Develop clear Standing Operational Procedures for security guards. Conduct regular training and close monitoring of guards to evaluate performance and effectiveness. 

                  - Instruct guards to conduct the same entry and exit procedures on all individuals, regardless of nationality, position with the company or visitor status.

Maintaining a secure perimeter is the first line of defence against unauthorised entry and theft. But, access control is not limited to only the site and buildings therein. Access control also concerns the ability to define and track who has the right to view what information during which intervals.

Our Recommendations:

- Implement a robust system to restrict and log access to and usage of all digital information.

- Implement policies to ensure that all staff-held intellectual property is properly secured after close of business, such as a clear desk policy.

- Ensure that all physical data is maintained in secure locations and that logs are kept tracking all access and usage of information.

- Draft an access matrix chart clearly defining individual levels of information access for all employees.

- Review all audit logs and conduct checks of computer and information usage regularly.

Key Positions

Special attention should be paid to individuals in key positions with extensive access to intellectual property. High turnover rates carry the risk of sensitive information reaching competitors with the departure of personnel. Hiring and retaining high caliber personnel with strong track records and proven integrity are important components to the prevention of leakages that may comprise intellectual property security.

Our Recommendations:

- Conduct comprehensive background checks on all key-hires to verify previous experience and evaluate the candidates’ integrity. -

- Draft comprehensive contracts that clearly stipulate employees’ commitments to the company and include stringent non-compete and non-disclosure clauses.

Confidentiality

In many countries, levels of confidentiality are rarely implemented in full.  Although some documents may be clearly marked confidential, the bulk of information in many organisations is not defined and could easily be mistreated or improperly secured by unknowing staff.

Clearly defined levels of confidentiality for company information are both essential for identifying the most valuable intellectual property and for informing staff to which information they should be particularly attentive. Documents marked “Confidential” are treated with security in mind. In the event an intruder or employee attempts to remove marked documents, there will be no confusion surrounding the status of that information, as well as the individual’s awareness of that status.

Our Recommendations:

- Implement a system whereby all company information can be defined as business use, confidential and highly confidential.

- Ensure that all staff are briefed and aware of the different levels of confidentiality for company information and how to properly secure that which is more sensitive.

Third Party Service Providers

Even companies with the most stringent intellectual property protection protocols and systems may not extend the same rigorous internal controls to their third party service providers. Many companies employ outsourced cleaning, gardening and maintenance staff who are frequently on site and have or could gain access to valuable information. Third party IT support and maintenance has virtually unrestricted access to a company’s server and digital data stored therein. The security of information, either digital or physical, stored offsite in data banks, is susceptible to measures employed by the service provider. Likewise, any systems installed by a third party, such as security and production systems, are vulnerable to that company’s ability to control and monitor access to its own intellectual property.

Our Recommendation:

- Stipulate company internal intellectual property protocols clearly in all contracts to outsourced service providers, which should include a clause allowing the company to conduct random audits and ensure the third party is maintaining its contractual obligations.  

Last update : Sunday, 25 May 2008

Average user rating

   (0 vote)