IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Intellectual Assets: News items on Espionage & Public Dissimination of Data

February 20th, 2008 · 1 Comment

Intellectual property for an organization can vary between trade secrets (i.e. the ‘secret sauce recipe’) and customer specific data.  Every organization must classify information appropriately based on their own usage of the data, governing laws, and best practices.  Two recent examples caught my attention as examples where data was compromised and the affects.

The first is an example where a company’s secrets were stolen by an agent of a foreign government.  This company builds space shuttles, war planes, rockets, and commercial aircraft.  Obviously a very clear national security concern, and both a massively competitive threat to the company itself.  The article is here posted at CNN.  Currently espionage charges are filed against the individuals involved.  The agent was ‘allegedly’ sending data to the China Aviation Industry since 1979 from Boeing.

Not much has been posted on the controls that were violated or bypassed; however, it is likely a breakdown that may have occurred as a result of the merger that brought this employee into the companies environment.  Pure speculation, but a common weakness and risk that occurs when organizations acquire companies and must combine the technologies – including identity management, and HR safeguards.

The second is a story where Harvard’s website was breached – which in itself is a repository likely to hold sensitive customer information, but also further network credentials.  The system hacked was then downloaded and posted as an archive file on bittorrent.  This highlights a risk that is commonly discounted – The question “What can they really do with the data?”.  In the case of a website with sensitive information the answer is that it depends on who has the data.  In this case, the attackers distributed the information to the entire internet without prejudice and have eliminated this factor.  Now the risk is highly likely that someone can leverage this information to cause further harm.  The news post is here.

In the end, companies must recognize the value of the intellectual assets of the organization.  As was demonstrated recently, the value of the data depends on the holder, and it is from that perspective that organizations must evaluate risk.

Best regards,

James DeLuccia

Tags: Access and Authorization · Human Resources · Logical Access · Monitoring and Performance Reviews · Risk Awareness

1 response so far ↓

Leave a Comment